Information Policy

The Information Risk and Policy Officer plays a critical role in protecting PHSO’s information and people.

They will maintain the information and cyber security risk, third party, incident, and vulnerability registers to provide the senior information risk group with accurate and consistent status information.

The Risk and Policy Officer will be responsible for ensuring the accuracy and consistency of the information incident and data breach reporting process. They will use their analytical skills to identify themes and trends in threats, vulnerabilities, and information breaches, using excellent written and presentation skills to communicate threat intelligence and information risks across PHSO.

A part of the role will be to proactively develop expertise in practical cyber security, and manage the policy and evidence required to accredit PHSO to external security regimes such as Cyber Essentials.

**Main Duties**
- Use analytical skills to assess technical and business information to identify patterns and trends and perform a risk analysis of threats
- Work with colleagues to communicate threat intelligence and practical information security advice in formats appropriate to the audience (blogs, articles, coaching etc).
- Explain complex problems, policies, and protocols in simple terms to technical and non-technical audiences.
- Manage own workload to ensure that any increase in demand or resource constraint is flagged in an appropriate and timely manner.
- Assist the Data Protection Officer and other senior members of the team by preparing chronologies and evidence bundles in response to regulatory challenges.
- To horizon scan and maintain your knowledge of data protection, technologies, ICO action and decisions, cyber security, and information rights.
- Manage the information security lifecycle from identifying policy gaps through to implementation, testing and review.
- Be a credible champion for information rights, working with stakeholders to help PHSO deliver our strategic objectives whilst complying with the law.
- Present and provision data protection and cyber security training to colleagues and partners.
- Contribute to the data protection impact assessment process to ensure a consistent and compliant approach to high-risk data processing.
- Produce regular reports for performance management and business planning as requested.
- Positively partner with colleagues to address information risk in a proportionate, pragmatic manner.
- Work towards accreditation in Industry recognised qualifications in data protection and cyber security e.g., CISM, CIPT, CISSP
- Maintain a register of third-party information security risk
- Draft internal team guidance as directed.
- To triage and process alerts from security scanning and monitoring tools.
- Lead assurance activities to assess the effective implementation and operation of systems and controls to manage the information security risks.
- Liaise with procurement, legal and other colleagues to ensure pre-contract due diligence activities such as self-assessment, audits and independent assurance reviews are complete and satisfactory
- Conduct the vetting process for new suppliers is followed and to oversee continuous monitoring of existing suppliers.
- Act as lead Duty Incident Manager on a shared Rota basis to manage information security and personal data breaches in accordance with defined incident management processes, ensuring impacts and risks are appropriately identified, assessed, and mitigated.

**Knowledge**

**Essential**:

- Knowledge and experience of data protection, risk management and cyber security within a public authority
- Working knowledge of ISO 27001, NHS Data Security and Data Protection Toolkit, and/or Cyber Essentials +
- Sound knowledge of people management skills and processes.
- Practical knowledge of pen-testing would be preferred
- A broad understanding of IT tech including security technologies (firewalls, anti-virus, security incident and more)
- Understanding of public sector procurements and frameworks (Digital Marketplace)

Desirable:

- An understanding of the services of PHSO and the Ombudsman’s role
- An awareness of public administration (central government in particular) or the NHS and the context in which it operates

**Skills**

**Essential**:

- Ability to analyse technical designs and proposals
- Ability to manage performance
- Ability to identify trends and insight through data analysis
- IT literate including excel, Visio, SharePoint skills (NTH)
- Ability to map and re-engineer business processes (NTH)
- Good at building partnerships and positive relationships
- Excellent communication skills, including verbal and written
- Able to influence others including those outside of your direct working relationships
- Strong motivational skills
- Ability to write for publication
- Good planning and organisational skills
- Good problem-solving skills
- The ability to meet targets and deadlines
- Proven request h