Interim Security and Information Risk Advisor

Interim Security and Information Risk Advisor Pay Rate: Up to £911per day, subject to IR35 status for candidates who are CESG Certified (90 WORKING DAYS). OR Up to £660 per day pay rate, subject to IR35 status for candidates who are NOT CESG Certified (120 WORKING DAYS) Job Description: Document all aspects of the DAIS Lab to enable accreditation and maintenance of the capability over time. Document the procedures used to test and assess equipment and software so tests can be repeated and carried out on similar equipment or applications in future by MOD staff who have completed to level three of the DAIS Lab Training and experience Plan. Provide on-going support to DAIS SACs and attend SWGs where possible to help ensure informed decisions are being made with regards to each element (feature) being incorporated during the projects lifecycle. Continue support to DAIS accreditors as an SME for mobility projects ensuring that educated risk acceptance is being made in line with the SIROs risk appetite. Work alongside both DAIS SACs and accreditors to ensure that ITHCs and penetration tests are performed in line with industry best practice. As part of this process any gaps in security assessments will be performed at RAF Wyton where possible to ensure that a true and factual security assessment is made. This also involves helping to scope upcoming ITHCs and penetration tests. As well as reviewing, current and upcoming ITHCs and penetration tests guidance documents will be generated under this contract with a list of ‘must haves’ to ensure that a true risk posture can be ascertained from the security assessments performed. The document set produced from this will include sample work flows to generate robust, appropriate and repeatable ITHC Scoping documents, sample penetration test workflows and reports that can be used as a baseline to compare current and future tests against. Specifically, for mobility projects, document each element that should be tested during a penetration test, why it should be done, what the expected results should be, how the results may affect the devices risk posture, and how it could potentially be done for the most common devices. Develop monitoring guidance specifically for mobility projects that can then be applied to current and future capabilities. This will drive a capability that allows the GOSCC to ingress feeds giving a proactive capability to monitor both on device and network activities. Develop network monitoring guidance where full data capture is possible and for where only net flow data can be captured. Mobile device baselining will help to drive this guidance and amendments can be made for specific mobile platforms. Perform mobile baseline activities against the most commonly used mobile devices used across defence. The baseline activities performed assess a device in its raw state before any policies are applied and any applications are deployed. These baselining activities where possible should ensure that tests are performed with the device in several different states (i.e. when connected to WiFi/when connected to cellular with WiFi disabled). Incorporate NCSC mobile device lockdown policies into MoD policy for mobility projects; if such policies don’t exist look at developing a policy set across defence that can act as a crib sheet for project teams to work of for future mobility projects. This policy set should allow MoD to take its own stance alongside the guidance of NCSCs device lockdown policies on what is deemed as acceptable and unacceptable risk if a specific policy is not followed. Such policies if incorporated by project teams should help streamline the process for SACs and accreditors during the risk identification and acceptance phases. Develop and maintain an enduring technical assurance testing capability at RAF Wyton. This capability should also ensure that kit (both hardware and software) requirements are met to allow testers/analysts with the technical capability to perform a full baseline of devices including forensic analysis; and to perform the same tests against a device in its deployable state. Develop and maintain an enduring technical assurance testing capability for applications at RAF Wyton. The process of testing mobile applications should involve an offensive stance where active steps should be taken to replicate how an adversary may target applications with a weak security posture on a device. Develop and maintain an enduring IOT technical security assurance testing capability. Plan and document a process that allows DAIS to drive an innovative internal capability for mobile application vetting as a service. This service is one that would allow projects with a high-risk capability to request a security assessment be performed against an application they wish to deploy across their mobility fleet. This capability should allow SACs and accreditors to request a vendor neutral security assessment to be performed against a specific application The long-term goal of this capability would be to create an evolving dataset where historic assessments can be referenced for future requests. Hold regular brown bag sessions both with the technical assurance teams and the SACs and accreditors in DAIS to ensure that they are kept up to date with any newly found vulnerabilities in the mobility arena. Hold regular training sessions with the technical assurance team in Wyton. The aim of this should be to up skill the current staff to a point where they can carry out some of the tasks required during a penetration test or security assessment without supervision. Work closely with the innovations team and where possible assess the security posture through penetration testing activities of potential projects that the innovations team are investigating. This liaison with the innovations team is critical as it means technical, new and innovative solutions/ideas can be translated into high level terminology that the SACs and accreditors can make informed decisions on. The testing activities performed against these projects not only help to inform DAIS but also the innovation team into the strengths and weaknesses of potential solutions and how problems may arise with similar solutions. Liaise and work closely with the Application Services Development Team(ASDT) in Mustang to help develop a yellow team that supports and ensures the successful delivery of cloud application hosting and development solutions. Help identify, fix and translate the cloud application development solutions being developed by the team in Mustang to the relevant SACs and accreditors so they can not only understand any associated technical risks but also increase their own knowledge surrounding cloud security. Develop and implement a cloud security strategy that outlines the types of penetration tests to be performed against any cloud hosting environment and what needs to be true for a factual risk assessment to be given against said solutions. Help and where possible/required lead the process of developing a cloud security policy that outlines the core requirements for a solution to be accreditable by DAIS. Work closely with the relevant teams (specifically the newly adopted yellow team) in mustang to ensure that any software solutions that are developed are developed in line with industry best practice secure coding principles. This process would also involve holding brown bag sessions where secure coding principles are discussed and demonstrated. It would also involve looking through code snippets developed in house to try and identify any weaknesses in the current development process Develop a process whereby source code for software solutions developed in house are checked against a set criteria to ensure all code has been developed to protect the data passing through the application. Candidates who are CESG Certified IA Professionals will be paid a higher rate than candidates who do not hold the certificate. The ability to conduct Penetration Tests, Vulnerability Assessments and Compliance checks equivalent to a Lead CREST certified tester The ability to check whether security hardening has been correctly applied to equipment including mobile phones, tablets, laptops and servers and similar The ability to compare installed operating systems with gold disc operating systems and report on the difference for equipment including mobile phones, tablets, laptops and servers and similar Contract Length: Either 90 or 120 days depending on qualifications. “Essential Requirements” – Please check to ensure that your CV addresses the following items: Our clients are generally seeking applicants who are reasonably local, so on that basis we would ideally like you to supply us with your address (or at least your post code) and a telephone number so that we can reach you during working hours. Your recent UK working experience going back at least 5 years, or full employment history if you have been working for fewer years than this. Your availability to work either immediately, or at short notice. Qualifications and experience relevant to the job role – please give full details within your CV document Additional Requirements: SC - security clearance Other preferable/desirable details to include on your CV, if applicable: Any local authority/public sector experience Any relevant qualifications held or being studied for