IMPORTANT NOTICE REGARDING APPLICATION DEADLINE: Please note that the closing date for submission of applications is indicated in local time as per the time zone of the applicant's location.
Organizational Setting
The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA's ICT infrastructure comprises hardware and software platforms, and cloud and externally-hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.
Main Purpose
The Chief Information Security Officer (CISO), reporting to the IAEA's Director of Information Technology/Chief Information Officer (DIR-MTIT/CIO) is accountable for the creation, implementation, and oversight of information security program and policies designed to reduce and mitigate information security risk across the Agency to a level tolerable to the organization. The CISO will establish and lead an enterprise-wide information security and assurance function, ensuring that confidentiality, integrity, and availability requirements of information systems and assets are identified and managed appropriately.
Role
The CISO is: (1) a leader, providing vision and direction, while inspiring the implementation of innovative security solutions and best practices that address the IAEA's priorities; (2) a manager of direct and indirect resources within the Division as well as across the Agency; and (3) an advisor to DIR-MTIT/CIO and to others throughout the Agency on matters in connection with information security.
Functions / Key Results Expected
Business alignment
Build sound business relationships across the Agency to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
Provide clear and timely business advice to executive management on key information security and assurance issues.
Ensure representation of relevant and adequate information security and risk on relevant business and governance forums is known, well-integrated, and addressed across the Agency.
Information Security Governance
Provide leadership, vision, direction and management to the various information and cyber security engineering and operations teams across the Agency, to the decentralised technical teams within departments and to the IAEA as a whole.
Oversee, implement and improve the IAEA's Information Security Management System (ISMS) including its policies, standards and processes and align them with ISO 27001.
Ensure that all IT and information security programs are in compliance with applicable laws, regulations, and policies.
Information Security Awareness
Create, manage, deliver the relevant information Security Awareness training to the staff, and review effective information security awareness training.
Information Security Risk management
Establish and manage an information security and risk management capability and framework across the organisation and align it with the IAEA's risk management strategy.
Develop and obtain management approval for short and long term strategies, roadmaps, and business cases to appropriately mitigate, detect, and deter information security threats.
Conduct information security risk assessments across the enterprise at suitable intervals.
Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives.
Regularly verify that required information security and risk controls are in place, raising findings as noncompliance is found and driving improvement.
Ensure that internal and external audits are supported in development of an annual strategic audit plan.
Security Architecture
Develop and maintain an effective information security architectural approach.
Ensure the consistent application of security standards across global technical infrastructure.
Liaise with enterprise architecture to ensure that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs.
Collaboratively engage with other IS functions and business representatives to facilitate a globally standardized approach and governance structure to information security and risk.
Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.
Security Engineering and Operations
While various units within IT have direct responsibility for Security Operations, the CISO has an oversight role for the following functions:
Establish processes, processes and appropriate staff training to respond to significant information security breaches in a timely and proactive manner.
Monitor, manage, and deploy security controls as appropriate to support business needs while minimizing risk.
Oversee the close management and analysis of security information and events.
Respond to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
Lead the effort to maintain an effective and timely program to manage identity and access privileges.
Competencies and Expertise
Core Competencies(Competency Framework) Name Definition Planning and Organizing Plans and organizes his/her own work in support of achieving the team or Section’s priorities. Takes into account potential changes and proposes contingency plans. Communication Communicates orally and in writing in a clear, concise and impartial manner. Takes time to listen to and understand the perspectives of others and proposes solutions. Achieving Results Takes initiative in defining realistic outputs and clarifying roles, responsibilities and expected results in the context of the Department/Division’s programme. Evaluates his/her results realistically, drawing conclusions from lessons learned. Teamwork Actively contributes to achieving team results. Supports team decisions.
Functional Competencies Name Definition Client orientation Helps clients to analyse their needs. Seeks to understand service needs from the client’s perspective and ensure that the client’s standards are met. Commitment to continuous process improvement Plans and executes activities in the context of quality and risk management and identifies opportunities for process, system and structural improvement, as well as improving current practices. Analyses processes and procedures, and proposes improvements. Technical/scientific credibility Ensures that work is in compliance with internationally accepted professional standards and scientific methods. Provides scientifically/technically accepted information that is credible and reliable.
Required Expertise Function Name Expertise Description Information Technology IT Security Extensive knowledge and experience in Information Security Systems. Information Management Information Architecture Extensive knowledge and experience in Information Security Architecture. Information Technology Information Security and Risk Management Extensive knowledge and experience in Information Security and Risk Management areas.
Qualifications, Experience and Language skills
Remuneration
The IAEA offers an attractive remuneration package including a tax-free annual net base salary starting at US $92731 (subject to mandatory deductions for pension contributions and health insurance), a variable post adjustment which currently amounts to US $ 52764*, dependency benefits, rental subsidy, education grant, relocation and repatriation expenses; Other benefits include 6 weeks' annual leave, home leave travel, pension plan and health insurance. More information on the conditions of employment can be found at: https://www.iaea.org/about/employment/professional-staff/conditions
General Information
Evaluation process
Appointment information
This vacancy is archived.