CISO – Operations
The purpose of the role is to develop, implement and monitor a comprehensive enterprise information security and risk management programme in line with strategic input to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the business. Based on Office for Nuclear Regulation (Nuclear Industries Security Regulations 2003) and supporting ONR Security Assessment Principles and relevant UK Cyber and Information Assurance policies, guidance relevant to nuclear, non-nuclear cyber security and, where appropriate privacy matters.
The role provides technical functional process development, management and expertise for cyber security and information assurance across Sellafield Limited (SL) and manages a medium sized team of CS&IA SMEs. This enables the organisation to operate effectively and in line with nuclear security regulation and other controlling regulation.
Provide direct input and technical expertise into the formulation and implementation of major Cyber Security & Information Assurance policies, objectives and plans, particularly with regard to future demands, the consideration of options, and longer-term performance of the business.
Reporting directly to S&R Head Cyber Programme and in consultation with the CISO – SA, to develop and implement appropriate Key Performance Indicators to demonstrate that the tactical and operational level plans are capable of achieving Cyber Protection System outcomes in accordance with the Office for Nuclear Regulation, (ONR) Security Assessment Principles (SyAP) in a Regulatory space, General Data Protection Regulations (GDPR) Compliance in the privacy space and compliance with broader business risk requirements.
To act as the SL point of contact with the Office for Nuclear Regulation for relevant elements of regulatory interaction, engagements, interventions in relation to Sellafield Limited Nuclear Site Security Plan; Chapter 7 – Cyber Security & Information Assurance. (Statement of legal compliance with nuclear security regulation).
To act as the SL point of contact with the HMG Information Commissioner Office (ICO) for regulatory interaction, engagements and interventions in relation to Data Protection Act 2018 and General Data Protection Regulations (UK GDPR).
To maintain a working level oversight of Data Protection compliance in line with SL Data Protection Policy and the DPA 2018 and GDPR (UK)
Working in conjunction with other Information Technology (IT), Operational Technology (OT), Information Communication Technology (ICT) and Cyber specialists across the enterprise to provide tactical and operational assurance, guidance and direction for the achievement of the desired Cyber Protection System (Refer; SyAP) outcomes including commercial requirements in the contract and programme space.
Ensure effective arrangements are in place to enable the Head of CS&IA Risk to work directly with the business to facilitate information risk assessment and risk management processes, and work with stakeholders throughout the business on identifying acceptable levels of residual risk.
Ensure effective arrangements are in place to enable the recording and reporting of information risk incidents to the Office of Nuclear Regulation in accordance with The Nuclear Industries Security Regulations 2003; Regulation 22 – Duties of persons with sensitive nuclear information.
Ensure effective arrangements are in place to enable the measuring and reporting of mandatory data handling compliance in accordance with the Data Protection Act 2018 and General Data Protection Regulations (UK GDPR).
Ensure the provision of an effective incident response capability via the Cyber Security Operations Centre (CSOC)
In conjunction with the CISO – SA to create a risk-based process for vendor information risk management and CSOC Operations to communicate and implement that process, including assessment and treatment for risks that may result from partners and other service providers.
Provide risk guidance for information related projects, including the evaluation and recommendation of information controls within the supply chain frameworks.
In collaboration with System Owners and System Technical Managers develop and manage a capability to respond to and recover from disruptive or destructive cyber and information security events as part of the wider Cyber Incident Response acting as the “Bronze” level under the strategic guidance of the CISO – SA, “Silver” level.
Develop and maintain key stakeholder relationships, internally and externally, at local and national levels in order to influence, improve and promote SL capabilities and capacity.
Support the ES&S Enterprise Leader / Capability Manager in the development of Enterprise Capability Plans (3-year resource forecast/plan) to enable the business to effectively discharges their regulatory commitments.
Provide oversight and guidance to the tactical and operational integration with the Nuclear Decommissioning Authority (NDA) Group CSOC to establish clearly defined boundaries of responsibility.
The role holder should be degree qualified or equivalent in a relevant technology security discipline with extensive work experience in the field of Cyber Security and Information Assurance.
The role holder should be recognised as a subject matter expert in the field of assurance, risk and have demonstrable experience as a senior practitioner.
Have an authoritative knowledge in the area of Cyber Security and proven ability to lead strategic discussions with internal and external stakeholders.
Hold or have held NCSC CCP or former CLAS qualification Hold or have held certification such as CISO or CISSP or SAN equivalent Experience in application of NISR, RIPA CMA and other relevant statutory instruments Where appropriate.
Member of the CIISec or British Computer Society.
Preferable prior or current experience in a senior CS&IA role with wider knowledge of the Sellafield site and its operations, response arrangements and vulnerabilities.
Pay & Benefits
As users of the Disability Confident Scheme, we guarantee to interview all disabled applicants who meet the minimum essential skills for the vacancy. You will be able to declare a disability when completing our application form. For further details on the scheme please contact GBS Resourcing directly. You are advised to regularly check your emails (including any junk mail/spam folders) for correspondence related to this post, including assessment or interview invitations and any other type of correspondence relating to your application. In the event of a high number of responses to any advert, Sellafield Ltd reserves the right to close the advert early. We are committed to creating an environment in which people grow, develop and perform at their best. To learn more about our manifesto, rewards and benefits, learning and development opportunities please visit: https://careers.sellafieldsite.co.uk/work-with-us/thriving-at-work/