The ONS operates a flexible hybrid working model across the UK, with colleagues linked to one of our contractual locations working between office and remote throughout the week. The locations for this role are Newport, Titchfield (Fareham), London and Manchester.
All colleagues are required to work from their contractually allocated site for at least 40% of their working time. Due to current capacity constraints there is currently an exception for colleagues based at the Manchester office with office attendance being 20% this is expected to move to 40% attendance in 2025-2026.
The induction process for the role will be conducted in person.
About the job
Job summary
The Office for National Statistics (ONS) has a long history of working with personal, economic and commercial information. Security and the management of information used for corporate and statistical activities is critical to business operations and the trust that citizens place in us. ONS has a strong commitment to protecting this information.?
The last few years has seen an extensive overhaul of security and information management to meet the challenges of corporate and statistics transformation in technology, methods and practice, the Digital Economy Act and organisational risk appetite. The capability is evolving and expanding to address changes in threat and business direction.?
Security and Information Management Directorate (SaIM) operates five key services across ONS: security risk advice and management; knowledge and information management (KIM); physical security and business continuity; security compliance and audit; security operations including our Security Operations Centre.?
Job description
The Cyber Security Risk Manager - Lead role forms part of the Advisory Security team within the Security and Information Management Division at the Office for National Statistics (ONS). The role reports to the Cyber Security Risk Manager - Principal.
The primary focus of the role is to provide the Organisation with security advice and best practice to develop ‘Secure by Design' protections for organisational assets and embed the ONS Security Framework - principles; policies; processes; threat model; security risk management into the ONS. This includes security advice, guidance and risk management activities to support large cross-disciplinary programmes of work, such as the Integrated Data Service (IDS), as well as engagement with specialised business units in their delivery objectives.
Key outcomes from the role are the identification of security risk within the business context, the identification of appropriate mitigation approaches for business selection and the management of these options through to implementation within the live service. The security advice provided will be informed by threat, vulnerability and risk analysis for business and third parties. Effective communication of security concepts and providing appropriate guidance to stakeholders at different levels is key for the role.
The focus, outcomes and responsibilities are aligned to the Government Security Profession framework of the Cyber Security Risk Manager - lead.
Key Responsibilities
1. Support and influence the development of business-focused security solutions for large programmes of work, digital products and business operations that cover data collection, storage and processing, deployed both internally and externally;
2. Identify security threat and risk to the Organisation's digital products and business operations being developed through Agile methodologies and Supplier processes;
3. Lead the analysis and derivation of business-supporting security needs, undertake Cyber Security related risk assessments, conduct tailored threat assessment and other risk management activities, and ensure activities are consistent with applicable regulations and legislation;
4. Independently undertake risk management activities within a given area of practice or expertise, usually within established security and risk management governance structures;
5. Lead the analysis and derivation of business-supporting security needs for large programmes of work, undertake Cyber Security related risk assessments, conduct tailored threat assessment and other risk management activities, and ensure activities are consistent with applicable regulations and legislation;
6. Consult with and influence the Organisation's security stakeholders to ensure that the solutions deployed are secure and fit for purpose;
7. Liaise effectively with the Organisation's business, technology and security colleagues to build their security capability and ensure various business needs are supported by appropriate, proportional security solutions.
8. Provide general security architecture, guidance and advice to the stakeholders, ensuring that security policies and security controls remain appropriate and adaptable to the changing threat environment, business requirements and ONS policies;
9. Provide tailored advice to a range of stakeholders on how to remedy identified risks by proportionately applying security capabilities, using published guidance, standards, and drawing on a range of experts as well as personal expertise;
10. Provide expert security advice that highlights Cyber Security related risks, so risk or service owners can make well-informed and audit-able decisions.
11. HMG Vetting at Security Clearance (SC) and if appropriate Developed Vetting (DV) level will be required once in role.
Person specification
Essential Criteria:
12. Expert knowledge of application, infrastructure and networking security controls and systems covering physical, procedural and technical (ICT) areas, particularly in relation to data management.
13. Experienced in providing detailed security advice and technical security solutions in a UK Government Department, with an ability to effectively communicate complex security requirements and solutions to a wide range of stakeholders.
14. Good knowledge of UK Government Security Policy Framework, Information Assurance Standards, e.g. ISO 27001, DPA and ability to communicate security requirements and outcomes at all levels.
15. Holding or working towards relevant professional qualifications and memberships e.g. Senior Practitioner level within the CESG Certified Professional scheme (CCP), British Computer Society (BCS).
16. Track record in working as part of a multi-divisional team covering a multi-discipline environment, ideally in supporting large programmes of work.
Link to The Government Security Profession career framework
Behaviours
We'll assess you against these behaviours during the selection process:
17. Seeing the Big Picture
18. Communicating and Influencing
19. Leadership
Technical skills
We'll assess you against these technical skills during the selection process:
20. Applied Security Capability - Practitioner
21. Information Risk Assessment and Risk Management - Practitioner
22. Protective Security - Practitioner
23. Threat Understanding - Practitioner