Application closing date: 2 September 2018
The Security Unit
The Security Unit is responsible for end-to-end security tasks in the Agency. This includes the security of the systems which the Agency operates, the environment in which eu-LISA operates (hereunder the physical security of all Agency premises), the security of all Agency personnel and assets, as well as security related to outsourced activities.
The responsibilities of the Security Unit are organised in a Security and Continuity Management System (SCMS) split into five macro-domains: Governance, Risk and Assurance; Business Continuity Management; Protective Security; Information Security; System Security Management & Operations.
The organisational structure of the Security Unit distributes the staff into two Sectors, namely Protective Security and Continuity as well as Information Security and Assurance Sector. The Unit is located both in Tallinn, Estonia and in Strasbourg, France.
Reporting to the Head of the Security Unit under supervision of the Head of Information Security and Assurance sector the jobholder will be mainly responsible, to support the Agency in the management of the security and continuity management system (SCMS).
In particular, the jobholder will be responsible for:
Security design of the systems:
- Performing the business and security risks assessments as part of the initial deployment process of the new systems and of the further developments;
- Designing the security architecture of the system and the security requirements for the system.
Development and deployment and of the systems:
- Drafting the security and resilience requirements for the inclusion in the technical specifications of the tender process, for the initial deployment of the new systems and for the further developments;
- Participating in the technical evaluation of the offers from contractors for the initial deployment of the new systems and their further developments, supporting any other procurement related process concerning the security of the systems;
- Supporting the project managers and the project teams during the project activities and process regarding security and business continuity areas;
- Participating in the elaboration of the use-cases and test-cases security related, specific to the technical implementation of the systems;
- Implementing and testing the fulfilment of the technical security requirements for the systems.
Operations of the systems:
- Monitoring the security logs and configuration of the system in order to identify any possible incident or event security related;
- Continuously performing security risk assessments, by analysing and assessing the specific threat and vulnerabilities of the system;
- Performing any internal security audit of the system as required;
- Supporting the technical service desk team and any other user of the system in the process of administrating/using the systems;
- Implementing the Security Incident Management System at the systems level;
- Developing system specific security policies, standards, procedures and guidelines regarding the management and use of the system;
- Reporting, as necessary, to the senior management about the security of the systems;
- Supporting in the technical and procedural implementation of the specific business continuity and disaster recovery controls for the systems;
- Periodically performing penetration tests and other security tests regarding the systems;
- Ensuring the correct configuration of security components in different systems, in collaboration with the operational teams;
- Performing any other activities and processes specific for the role of the System Security Officer.
Other tasks and duties:
- Assisting the eu-LISA Security Officer in the development, implementation and maintenance of the overall eu-LISA’s Security and Continuity Management System;
- Assuring that the Agency’s security controls meets the quality standards as according to key performance indicators;
- Implementing and developing the Security Awareness Programme for the users and administrators of the systems;
- If necessary, acting as first responder during an incident or a crisis/emergency situation that might impact the Agency core business;
- Liaising, when needed, upon request of eu-LISA Security Officer and under his supervision, with the national security authorities of the host Member States or with other EU institutions or bodies’ security services, on the matters related to the security and business continuity of the Agency, its operations and systems.
Qualifications and Experience Required
Applicants will be considered eligible for recruitment and selection on the basis of the following formal criteria which need to be fulfilled by the deadline for applications:
- he/she has a level of education which corresponds to completed university studies of at least three years attested by a diploma;
N.B. Only qualifications that have been awarded in EU Member States or that are subject to the equivalence certificates issued by the authorities in said EU Member States shall be taken into consideration.
- he/she is a national of one of the Member States of the Union, Norway, Iceland, Liechtenstein or Switzerland and enjoys his/her full rights as a citizen;
- he/she has fulfilled any obligations imposed on him/her by the laws concerning military service;
- he/she produces the appropriate character references as to his/her suitability for the performance of his/her duties;
- he/she is physically fit to perform his/her duties; and
- he/she produces evidence of a thorough knowledge of one of the languages of the Union and of a satisfactory knowledge of another language of the Union to the extent necessary for the performance of his/her duties.
Suitability of applicants will be assessed against the following criteria in different steps of the selection procedure. Certain criteria will be assessed only for short-listed applicants during interviews and tests.
Professional experience and knowledge
The applicant will be required to demonstrate that he/she has:
- Knowledge and/or preferably proven professional experience with ISO 27000 (Information Security) and ISO 22301 (Business Continuity) standards families and/or a formal security and/or business continuity certification (e.g. ISO 22301 Lead Implementer/Lead Auditor, ISO 27001 Lead Implementer/Lead Auditor, ISO 27005 Risk management, CISM, CISA, CISSP, etc.);
- MD level diploma in the information management, business continuity, legal or security fields or any other related domain;
- Knowledge and/or preferably proven professional experience in the development, implementation or assessment processes of Information Security Management System;
- Knowledge and/or preferably proven professional experience in planning and conducting information security testing, exercising and training;
- Knowledge and/or preferably proven professional experience in security assessments, IT security audits, security testing, vulnerability assessments and penetration testing;
- Knowledge and/or preferably proven professional experience in applying risk management methodologies, tools and processes;
- Knowledge and/or preferably proven professional experience in application security (OWASP Application Security and Verification);
- Knowledge and/or preferably proven professional experience in information security planning, business continuity planning and disaster recovery planning;
- Knowledge and/or preferably proven professional experience in development security policies and procedures (gap analysis, plans, policies, standards, business impact analysis, etc.);
- Knowledge and/or preferably proven professional experience in reporting to senior management;
- Strong drafting and communication skills in English both orally and in writing, at least at the level C1.
The working language of eu-LISA is English. Therefore, the ability to communicate in English is an essential requirement.
Further, the following attributes would be advantageous
- Proven professional experience in security operations engineering (e.g. implementation of defensive measures, threat intelligence production);
- Proven professional experience in methods, techniques and representative solutions in the following domain areas:
- Authentication and authorisation methodologies (including Identity and access management);
- Use of encryption technologies (including high assurance crypto solutions);
- Security controls in virtualised environments and shared infrastructures.
- Proven professional experience in a multicultural environment, preferably in EU institutions or agencies or government agencies;
- Knowledge of French language at least at the level B2.
Attributes important to this post include:
- Excellent analytical and problem-solving skills;
- Engaging and motivating presentation skills;
- Strong inter-personal and negotiation skills;
- Ability to think creatively;
- Excellent organisational skills and the ability to plan/prioritise work towards tight deadlines;
- Accuracy and attention to detail;
- Ability to take initiative and responsibility;
- Strong service-orientation, results-orientation and proactive working style.