ITSO - Part-Time

InfosecOfficer (Applications & Infrastructure)

You will be part of theInfosecurity team, supporting the agency's efforts to strengthen the securityposture of its application portfolio, enterprise IT infrastructure, andOperational Technology (OT) systems. Working closely with application projectmanagers, development teams, infrastructure teams, and OT system owners, youwill help identify, track, and remediate security vulnerabilities across theagency's systems in both on-premises and cloud environments.

Key Responsibilities

Application Security

• You will review and support the preparation of System Security Plans (SSPs) for applications, working with project managers to address deviations and ensure compliance.
• You will manage and track application vulnerability findings from tools such as the GovTech Vulnerability Management System (VMS) and Cloudscape, following up with application teams to ensure timely remediation within IM8 deadlines.
• You will coordinate and review results from Vulnerability Assessments (VA), Penetration Tests (PT), and Source Code Reviews, maintaining an up-to-date picture of outstanding issues across the application portfolio.
• You will advise on the configuration needed for the security quality gates in SHIP/HATS such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and third-party dependency checks. You will review results from these tests and do the necessary follow-up.
• You will facilitate Threat Modelling exercises for all systems, working with application teams to identify attack vectors and design mitigations early in the development lifecycle. You will also support the onboarding of citizen-facing applications onto the Government Bug Bounty Programme (GBBP) and manage the triage of findings from ethical hackers.
• You will support the management of third-party library and tool inventories, working with project managers to address obsolescence and vulnerability risks.

Infrastructure Security

• You will work with the Infra team to configure security alerts for Defender in Azure Cloud and Trendmicro Vision One.
• You will manage and track infrastructure vulnerability findings from security tests — including Vulnerability Assessments, Penetration Tests, and Government Bug Bounties — coordinating with the infrastructure team to ensure patches are applied within IM8 deadlines. You will monitor patch publication dates against patch alert dates to ensure timely escalation, and initiate improvements to the patching cycle to move towards automated patching.
• You will support the review and hardening of the agency's GCC 2.0 cloud environment, working from CSP-specific security guides to identify and close configuration gaps. This includes addressing outstanding Cloud VA and Cloud PT findings, such as those relating to Microsoft Defender configurations, network security groups, access controls, and storage account settings.
• You will assist in the configuration and fine-tuning of security monitoring tools, including the Endpoint Detection and Response (EDR) solution under Trend Micro Vision One, and support the forwarding of logs to GCSOC. You will initiate continuous improvement to GCSOC telemetry reports (P5I9) and work with the relevant teams to address gaps in coverage.
• You will review the implementation of Just-In-Time and Least Privileged Access controls for infrastructure administrator accounts, including work with CyberArk.
• You will assist in configuring and testing Web Application Firewall (WAF) rules and rate limiting controls, and coordinate with the CDN vendor to document and test DDoS management procedures.
• You will support subdomain housekeeping efforts and asset identification exercises to ensure full visibility of the agency's attack surface.
• You will assist in preparing for and responding to central IM8 audits, including readiness reviews across areas such as vulnerability management, incident response, and infrastructure hardening.

Operational Technology (OT)Security

• You will work with OT system owners and operations teams to assess their compliance against IM8 requirements and GovTech's OT Security Playbook. This includes identifying gaps in areas such as vulnerability management, network segmentation, access controls, and security monitoring for OT systems such as Building Management Systems and CCTV infrastructure. You will work collaboratively with OT teams to develop remediation plans, track progress, and escalate risks where gaps cannot be closed within acceptable timeframes.

Requirements

·      Experience in application security,infrastructure or cloud security, secure software development, or a relatedfield.

·      Familiarity with common vulnerability classes(e.g. OWASP Top 10), penetration testing concepts, and secure SDLC practices isexpected. Hands-on knowledge of vulnerability management, system hardening, andsecurity monitoring is required.

·      Familiarity with Azure cloud environments,Trend Micro Vision One, network security concepts, Dell Backup, and endpointsecurity tools is expected.

·      Experience with CI/CD pipelines and securitytesting tools would be an advantage.

·      Exposure to OT security concepts andframeworks would be beneficial, though not mandatory, as on-the-job guidancewill be provided.

·      Engage technical and non-technicalstakeholders across both IT and OT domains and be able to manage multipleworkstreams simultaneously in a resource-constrained environment.

·      Knowledge of Singapore Government IM8policies and GCC 2.0 is needed.