Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Wireless security wikipedia , lookup
Airport security wikipedia , lookup
Distributed firewall wikipedia , lookup
Mobile security wikipedia , lookup
Information privacy law wikipedia , lookup
Information security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Security-focused operating system wikipedia , lookup
JOB DESCRIPTION POST TITLE: Data Security Manager GRADE: PO5 DEPARTMENT: Technology Solutions Group SECTION: Information Governance REPORTS TO: Chief Information Officer MANAGES/SUPERVISES: None PRIMARY JOB FUNCTION The main purpose of this role is to support the Chief Information Officer and Network Operations Manager to achieve the highest standards of information security within the Council. The post holder will lead on the council’s commitment to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout Islington Council. In particular, the post holder will need to (a) ensure the council complies with relevant legislation, regulations, codes of practice or technical guidance in all matters relating to security, (b) provide specialist advice for security on matters relating to security management within the Council, and (c) provide specialist training to all levels of staff within the organisation on all matters relating to security. The post-holder will need to be aware of the bigger picture both within the Council and understand the importance of Data Security management, including external drivers and standards such as ISO 27001. The post-holder will be responsible for keeping the authority informed on these issues and advising them of the best approach and opportunities This job description will be subject to periodic review and amendment in accordance with the needs of the Council and the continuous changing on this agenda. ApMay841006284D:\841006284.doc DUTIES AND RESPONSIBILITIES LEAD ON DATA SECURITY To take the lead on data security management and advise the authority on the application and implications of the Data Protection Act, specifically in relation to the seventh principle relating to security. This task requires the ability to interpret the requirement of the Act and advice on best practice to ensure compliance. To provide expert guidance around data security management that may require the authority to take a course of action which may could involve substantial impact on resources. To establish and chair a Data Security Working Group represented by service areas and to set the agenda for these meetings, chair the meetings and ensure that reliable, accurate information is relayed and recorded. To advise customers on security concerns and recommendations with regard to the security of data and systems and to build strong relationships with all service areas in order to foster excellent team working and support for improved data security management. To regularly report on information security incidents to the Technology and Information Management Board, the Corporate Management Board and members, as required. To represent the council on project boards that have a strong security delivery to ensure that appropriate actions are taken to ensure continued compliance with corporate data security standards. POLICY, STRATEGY AND PROCEDURES To define, document and implement security policies that affect all directorates within the council, working to develop Islington’s ICT Security Policy Framework (this is the overarching policy framework for Islington Council’s technology security arrangements and describes the governance arrangements in place to make sure they are fit for purpose). To regularly ensure that Islington’s ICT Security Policy Framework is reviewed. To undertake a continual security policy gap analysis and to establish these policies and have them approved at the TIM Board. To ensure that data security policies are implemented, enforced and monitored and to ensure the council embraces a culture of confidentiality. To develop and ensure data security procedures are approved that provide the more detailed steps that service areas need to adhere to in order to implement that data security policies. ANNUAL HEALTH CHECK AUDIT Lead on an annual health check of all Council IT infrastructure systems and facilities, to ApMay841006284D:\841006284.doc include, but not restricted to, the following: (a) a full penetration test, (b) a network summary that will identify all IP addressable devices, (c) network analysis, including exploitable switches and gateways, (d) vulnerability analysis, including patch levels, poor passwords and services used, (d) exploitation analysis, and (e) a summary report with recommendations for improvement. To prepare a proposal for regular system vulnerability and penetration testing to the TIM Board. To assist in the development of the annual health check action plan. This involves the assessment of council systems, processes and policies against standards within own area of responsibility, and liaison with staff across the organisation. To forward plan and implement a system of full data protection audit within the council. This will involve liaison with staff across the council and assessing systems and processes against regulations. To report on the results of the data protection audit making recommendations for improvements. This will involve liaison with senior staff across the organisation. To establish a data risk log. This will become part of a sustainable audit whereby this risk can be regularly reviewed. In addition, this will feed into directorate and corporate risk registers. INCIDENT MANAGEMENT To ensure that the council’s information systems are secure and to respond to security related incidents in whatever way is appropriate. To ensure robust systems are in place for monitoring data security incidents. To ensure that all information security incidents are recorded and that all ‘evidence’ related to any incident is recorded and maintained for legal retention periods. To meet tight deadlines and prioritise demands in order to manage incidents for the authority. Assist in the investigation of security incidents as required, this may involve audit trails, manually checking individuals accounts, interviews, producing system reports regarding activity etc. Where appropriate to notify security incidents to GovCertUK RISK MANAGEMENT To research and develop a security strategy by being aware of potential threats and possible countermeasures. Using this knowledge to make judgements based on analysis of a range of options and conflicting opinions to best ensure that the highly complex security issues are understood, and that the risks are managed. To set in place the vehicle for the raising and monitoring risks on a regular basis, with reference to the Technology and Information Management Board. ApMay841006284D:\841006284.doc To ensure that regular risk assessments are completed in departments and that results are recorded. To assist in taking timely action resulting from any risk assessment recommendations. This may involve liaison with other department such as estates or planning etc. It is essential to keep the Chief Information Officer informed if there are any issues of non-compliance. NETWORK SECURITY To ensure the most appropriate anti-virus software is deployed across the Council’s Network. To carry out regular reviews and evaluations of all procedures and processes relating to anti-virus, email monitoring, Internet access and network access. To run regular reporting to monitor email and Internet usage. To assist and provide guidance to the First Line engineers and Network engineers in the event of a Security alert. To investigate the vulnerability of the Council to potential malicious attacks and recommend defensive actions. To attend regular training and conferences in order to brief the Council on the industries latest guidance for dealing with external threats to the Council. To provide support to customers relating to viruses, email usage, Internet access and investigation into misuse of the Council’s network. To provide advice and guidance on how to minimise the impact to the Council of potential software viruses and threats to the Network. TRAINING AND COMMUNICATIONS To communicate with all levels of staff including senior staff in the organisation in relation to data protection / information security matters. This entails providing advice and support that may be actioned by others. Meet with department heads and third party suppliers to discuss security and legal issues many of witch are extremely complex. Analyse and recommend courses of action through presentations and reports Undertake any training activity to ensure council policies and procedures are understood, and to develop any new knowledge within the role. Ensure that data protection and information security training is up-to-date, and incorporates trust current policies and practices. Ensure that data protection and information security training is monitored for quality and understanding. This is usually achieved by post training questionnaires and interviews. ApMay841006284D:\841006284.doc To assist in the review of posters and leaflets communicated to individuals in relation to how their information is processed. To develop and maintain the departments Intranet site, ensuring that it contains the most up-to-date and accurate information. To actively promote best practice across the Council relating to the use of email, anti-virus software and Internet access. To establish a process where job descriptions need to be amended to accurately reflect responsibilities KEEP ABREAST OF DATA SECURITY TRENDS Be aware of current and possible future trends in network security and take into account current trust procedures, to define and develop procedures and policies for appropriate and secure use of the trusts IT systems. Adherence to standards, including ISO27001 and Information Technology and Infrastructure Library (ITIL) ADDITIONAL: To undertake other duties commensurate to the grade of the post. To represent the Chief Information Officer and Network Operations Manager at external meetings in relation to data protection and information security. To prepare written reports for the Chief Information Officer and Network Operations Manager and Project Boards as required. To deputise at meetings for Chief Information Officer and Network Operations Manager as required. To use and assist others in the use of information technology systems to carry out duties in the most efficient and effective manner. To achieve agreed service outcomes and outputs, and personal appraisal targets, as agreed by the line manager. To undertake training and constructively take part in meetings, supervision, seminars and other events designed to improve communication and assist with the effective development of the post and post holder. The post holder is expected to be committed to the Council’s core values of public service, quality, equality and empowerment and to demonstrate this commitment in the way they carry out their duties. Ensure all the services within the area(s) of responsibility are provided in accordance with the Council's commitment to high quality service provision to users. ApMay841006284D:\841006284.doc Ensure that duties are undertaken with due regard and compliance with the Data Protection Act and other legislation. Carry out duties and responsibilities in accordance with the Council’s Health and Safety Policy and relevant Health and Safety legislation. At all times carrying out responsibilities/duties within the framework of the Council's Dignity for all Policy. (Equal Opportunities Policy). Post holder Declaration Name Signed: Date: Rev Jun 2010 ApMay841006284D:\841006284.doc PERSON SPECIFICATION Department: Corporate Resources Section: Information Governance Post Title: Data Security Manager Grade: PO5 REQUIREMENTS A/I/T* EDUCATION and EXPERIENCE E1 Educated to degree level or substantial senior technical experience. E2 Experience in working in a senior expert role within a local authority or large organisation at corporate level, working with senior officers and other authorities and agencies. A/I E2 High level of IT literacy – direct experience of working with data security applications, systems and solutions. A/I A KNOWLEDGE, SKILLS and ABILITY E3 Ability to drive forward change effectively, using a flexible, consultative and supportive approach. A/I E4 The ability to get things done without direct authority over a team. Good negotiating and influencing skills. A/I E5 Knowledge and practical experience of meeting legal compliance requirements around legislation such as the Data Protection Act (1998) A/I E6 Experience of working to standards such as ISO 270001 and Information Technology and Infrastructure Library (ITIL) awareness of latest developments and innovations in data security A/I E7 Excellent time management skills to work effectively under pressure. A/I E8 A solid understanding of good project delivery and case management so that objectives are achieved to deadline and cost. A/I E9 Ability to manage budgets. A/I E10 An ability to analyse complex issues and data, including research, financial and management information, both verbally and in writing. E11 Ability to undertake research and development work to ensure that the organisation is up to date with the latest developments in data security management E12 Experience of providing training and guidance around data security issues, from IT engineers to non-IT literate staff E13 Ability to work flexibly and on occasions out of office hours. A/I E14 Ability to communicate effectively in both written and oral presentation and at all levels. T` T A/I A COMMITMENT TO EQUAL OPPORTUNITIES E15 Ability to adhere to the Council’s Dignity for All policy. E= Essential *Assessed by: A D= Desirable A= Application I= Interview T= Test Revised December 2009 ApMay841006284D:\841006284.doc