The Security Compliance Specialist is required to provide specialised support services for Defence ICT systems, which includes fixed and deployed systems, ranging from simple to complex systems/networks on behalf of Cyber Security Assessments and Authorisation (CSAA) Directorate.
This role will undertake ICT security assessments of classified systems in accordance with the requirements of Government and Defence security policies, procedures and guidelines (including but not limited to the ISM, PSPF, CSAA Framework and DSPF). This will include as the main deliverable output, the completion of a Security Assessment Report and Authorisation Brief in DCIAB format.
The main responsibilities include:
• Assess the effectiveness of security controls for a system and its operating environment;
• For each system assessed, produce a report that details the assessment including;
* Scope/Background
* Security strengths and weaknesses (including key threats and vulnerabilities)
* Security risks
* Effectiveness of currently implemented security controls
* Recommended remediation actions (this may include stage 2 recommendations, VA/Pen test, suggested improvements, as well as potential caveats of operational or Production use depending on system maturity and security posture).
* Attend meetings and workshops as required to provide ICT Security advice and guidance to stakeholders and customers.
* Contribute to reporting and briefing requirements of the Directorate.
* Adhere to Defence, Defence Cyber and Information Assurance Branch (DCIAB) and CSAA principles and practices.
* Achieving Authority to Operate requirements.
Tertiary qualification and/or demonstrable industry experience in an ICT discipline or equivalent.
-Two or more of the following Certifications:
* Certified Industry System Security Professional (CISSP)
* Certified Information Security Manager (CISM)
* ISO 27001 Lead Auditor
* Global Information Assurance Certification (GIAC)
* Global Information Assurance Certification Forensic Analyst (GCFA)
* Certified Information Systems Auditor (CISA).
-Experience in ICT Security Risk Management and methodologies.
-Demonstrated experience in ICT system assessment and authorisation review and approval process from a security and risk perspective.
-Ability to work under broad direction, with a considerable degree of autonomy.
-Detailed understanding of the Protective Security Policy Framework (PSPF), Information Security Manual (ISM) and Defence Security Policy Framework (DSPF).
-Excellent communication skills.
Desirable Skills and Experience:
* Recent experience in security assessments of ICT systems in Defence.
* Familiarity with ITIL, NIST SP 800 series etc.
* Familiarity with CMFP, FMN, ZTA, Defence CP, SNOW, ASD Essential 8.
* Familiarity with DevSecOps reporting tools and Security dashboards and pipeline toolsets.
* Demonstrated experience in Defence Authority To Operate (Accreditation) review and approval process from a security and risk perspective.
Flexible working arrangement available on case by case basis; work location Canberra.
Minimum NV 1 security clearance (Active), preferred NV2 (Active).