Download Data Security Manager

JOB DESCRIPTION
POST TITLE:
Data Security Manager
GRADE:
PO5
DEPARTMENT:
Technology Solutions Group
SECTION:
Information Governance
REPORTS TO:
Chief Information Officer
MANAGES/SUPERVISES: None
PRIMARY JOB FUNCTION
The main purpose of this role is to support the Chief Information Officer and Network Operations
Manager to achieve the highest standards of information security within the Council. The post
holder will lead on the council’s commitment to preserving the confidentiality, integrity and
availability of all the physical and electronic information assets throughout Islington Council.
In particular, the post holder will need to (a) ensure the council complies with relevant legislation,
regulations, codes of practice or technical guidance in all matters relating to security, (b) provide
specialist advice for security on matters relating to security management within the Council, and (c)
provide specialist training to all levels of staff within the organisation on all matters relating to
security.
The post-holder will need to be aware of the bigger picture both within the Council and understand
the importance of Data Security management, including external drivers and standards such as
ISO 27001. The post-holder will be responsible for keeping the authority informed on these issues
and advising them of the best approach and opportunities
This job description will be subject to periodic review and amendment in accordance with the
needs of the Council and the continuous changing on this agenda.
ApMay841006284D:\841006284.doc
DUTIES AND RESPONSIBILITIES
LEAD ON DATA SECURITY

To take the lead on data security management and advise the authority on the application
and implications of the Data Protection Act, specifically in relation to the seventh principle
relating to security. This task requires the ability to interpret the requirement of the Act and
advice on best practice to ensure compliance.

To provide expert guidance around data security management that may require the
authority to take a course of action which may could involve substantial impact on
resources.

To establish and chair a Data Security Working Group represented by service areas and to
set the agenda for these meetings, chair the meetings and ensure that reliable, accurate
information is relayed and recorded.

To advise customers on security concerns and recommendations with regard to the
security of data and systems and to build strong relationships with all service areas in order
to foster excellent team working and support for improved data security management.

To regularly report on information security incidents to the Technology and Information
Management Board, the Corporate Management Board and members, as required.

To represent the council on project boards that have a strong security delivery to ensure
that appropriate actions are taken to ensure continued compliance with corporate data
security standards.
POLICY, STRATEGY AND PROCEDURES

To define, document and implement security policies that affect all directorates within the
council, working to develop Islington’s ICT Security Policy Framework (this is the
overarching policy framework for Islington Council’s technology security arrangements and
describes the governance arrangements in place to make sure they are fit for purpose).

To regularly ensure that Islington’s ICT Security Policy Framework is reviewed.

To undertake a continual security policy gap analysis and to establish these policies and
have them approved at the TIM Board.

To ensure that data security policies are implemented, enforced and monitored and to
ensure the council embraces a culture of confidentiality.

To develop and ensure data security procedures are approved that provide the more
detailed steps that service areas need to adhere to in order to implement that data security
policies.
ANNUAL HEALTH CHECK AUDIT

Lead on an annual health check of all Council IT infrastructure systems and facilities, to
ApMay841006284D:\841006284.doc
include, but not restricted to, the following: (a) a full penetration test, (b) a network
summary that will identify all IP addressable devices, (c) network analysis, including
exploitable switches and gateways, (d) vulnerability analysis, including patch levels, poor
passwords and services used, (d) exploitation analysis, and (e) a summary report with
recommendations for improvement.

To prepare a proposal for regular system vulnerability and penetration testing to the TIM
Board.

To assist in the development of the annual health check action plan. This involves the
assessment of council systems, processes and policies against standards within own area
of responsibility, and liaison with staff across the organisation.

To forward plan and implement a system of full data protection audit within the council.
This will involve liaison with staff across the council and assessing systems and processes
against regulations.

To report on the results of the data protection audit making recommendations for
improvements. This will involve liaison with senior staff across the organisation.

To establish a data risk log. This will become part of a sustainable audit whereby this risk
can be regularly reviewed. In addition, this will feed into directorate and corporate risk
registers.
INCIDENT MANAGEMENT

To ensure that the council’s information systems are secure and to respond to security
related incidents in whatever way is appropriate.

To ensure robust systems are in place for monitoring data security incidents.

To ensure that all information security incidents are recorded and that all ‘evidence’ related
to any incident is recorded and maintained for legal retention periods.

To meet tight deadlines and prioritise demands in order to manage incidents for the
authority.

Assist in the investigation of security incidents as required, this may involve audit trails,
manually checking individuals accounts, interviews, producing system reports regarding
activity etc.

Where appropriate to notify security incidents to GovCertUK
RISK MANAGEMENT

To research and develop a security strategy by being aware of potential threats and
possible countermeasures. Using this knowledge to make judgements based on analysis of
a range of options and conflicting opinions to best ensure that the highly complex security
issues are understood, and that the risks are managed.

To set in place the vehicle for the raising and monitoring risks on a regular basis, with
reference to the Technology and Information Management Board.
ApMay841006284D:\841006284.doc

To ensure that regular risk assessments are completed in departments and that results are
recorded.

To assist in taking timely action resulting from any risk assessment recommendations. This
may involve liaison with other department such as estates or planning etc. It is essential to
keep the Chief Information Officer informed if there are any issues of non-compliance.
NETWORK SECURITY

To ensure the most appropriate anti-virus software is deployed across the Council’s
Network.

To carry out regular reviews and evaluations of all procedures and processes relating to
anti-virus, email monitoring, Internet access and network access.

To run regular reporting to monitor email and Internet usage.

To assist and provide guidance to the First Line engineers and Network engineers in the
event of a Security alert.

To investigate the vulnerability of the Council to potential malicious attacks and recommend
defensive actions.

To attend regular training and conferences in order to brief the Council on the industries
latest guidance for dealing with external threats to the Council.

To provide support to customers relating to viruses, email usage, Internet access and
investigation into misuse of the Council’s network.

To provide advice and guidance on how to minimise the impact to the Council of potential
software viruses and threats to the Network.
TRAINING AND COMMUNICATIONS

To communicate with all levels of staff including senior staff in the organisation in relation to
data protection / information security matters. This entails providing advice and support that
may be actioned by others. Meet with department heads and third party suppliers to
discuss security and legal issues many of witch are extremely complex. Analyse and
recommend courses of action through presentations and reports

Undertake any training activity to ensure council policies and procedures are understood,
and to develop any new knowledge within the role.

Ensure that data protection and information security training is up-to-date, and incorporates
trust current policies and practices.

Ensure that data protection and information security training is monitored for quality and
understanding. This is usually achieved by post training questionnaires and interviews.
ApMay841006284D:\841006284.doc

To assist in the review of posters and leaflets communicated to individuals in relation to
how their information is processed.

To develop and maintain the departments Intranet site, ensuring that it contains the most
up-to-date and accurate information.

To actively promote best practice across the Council relating to the use of email, anti-virus
software and Internet access.

To establish a process where job descriptions need to be amended to accurately reflect
responsibilities
KEEP ABREAST OF DATA SECURITY TRENDS

Be aware of current and possible future trends in network security and take into account
current trust procedures, to define and develop procedures and policies for appropriate and
secure use of the trusts IT systems.

Adherence to standards, including ISO27001 and Information Technology and
Infrastructure Library (ITIL)
ADDITIONAL:

To undertake other duties commensurate to the grade of the post.

To represent the Chief Information Officer and Network Operations Manager at external
meetings in relation to data protection and information security.

To prepare written reports for the Chief Information Officer and Network Operations Manager
and Project Boards as required.

To deputise at meetings for Chief Information Officer and Network Operations Manager as
required.

To use and assist others in the use of information technology systems to carry out duties in the
most efficient and effective manner.

To achieve agreed service outcomes and outputs, and personal appraisal targets, as agreed
by the line manager.

To undertake training and constructively take part in meetings, supervision, seminars and other
events designed to improve communication and assist with the effective development of the post
and post holder.

The post holder is expected to be committed to the Council’s core values of public service,
quality, equality and empowerment and to demonstrate this commitment in the way they carry out
their duties.

Ensure all the services within the area(s) of responsibility are provided in accordance with the
Council's commitment to high quality service provision to users.
ApMay841006284D:\841006284.doc

Ensure that duties are undertaken with due regard and compliance with the Data Protection Act
and other legislation.

Carry out duties and responsibilities in accordance with the Council’s Health and Safety Policy
and relevant Health and Safety legislation.

At all times carrying out responsibilities/duties within the framework of the Council's Dignity for
all Policy. (Equal Opportunities Policy).
Post holder Declaration
Name
Signed:
Date:
Rev Jun
2010
ApMay841006284D:\841006284.doc
PERSON SPECIFICATION
Department: Corporate Resources
Section: Information Governance
Post Title: Data Security Manager
Grade: PO5
REQUIREMENTS
A/I/T*
EDUCATION and EXPERIENCE
E1
Educated to degree level or substantial senior technical experience.
E2
Experience in working in a senior expert role within a local authority or large organisation
at corporate level, working with senior officers and other authorities and agencies.
A/I
E2
High level of IT literacy – direct experience of working with data security applications,
systems and solutions.
A/I
A
KNOWLEDGE, SKILLS and ABILITY
E3
Ability to drive forward change effectively, using a flexible, consultative and supportive
approach.
A/I
E4
The ability to get things done without direct authority over a team. Good negotiating and
influencing skills.
A/I
E5
Knowledge and practical experience of meeting legal compliance requirements around
legislation such as the Data Protection Act (1998)
A/I
E6
Experience of working to standards such as ISO 270001 and Information Technology and
Infrastructure Library (ITIL) awareness of latest developments and innovations in data
security
A/I
E7
Excellent time management skills to work effectively under pressure.
A/I
E8
A solid understanding of good project delivery and case management so that objectives
are achieved to deadline and cost.
A/I
E9
Ability to manage budgets.
A/I
E10
An ability to analyse complex issues and data, including research, financial and
management information, both verbally and in writing.
E11
Ability to undertake research and development work to ensure that the organisation is up
to date with the latest developments in data security management
E12
Experience of providing training and guidance around data security issues, from IT
engineers to non-IT literate staff
E13
Ability to work flexibly and on occasions out of office hours.
A/I
E14
Ability to communicate effectively in both written and oral presentation and at all levels.
T`
T
A/I
A
COMMITMENT TO EQUAL OPPORTUNITIES
E15
Ability to adhere to the Council’s Dignity for All policy.
E= Essential
*Assessed by:
A
D= Desirable
A= Application
I= Interview
T= Test
Revised December 2009
ApMay841006284D:\841006284.doc