Requirements
3. Key accountabilities
3.1 Day -to -day security leadership
• Lead and own day -to -day operational responsibility for service security.
• Advise the client on security status and matters; identify and address risks; continuously maintain and improve the security posture.
• Act as the authoritative security voice in the client's Design Authority and Enterprise Architecture forums for security -impacting changes.
3.2 Security operations and SOC integration:
• Provide the required reports to the client SOC in agreed format and frequency.
• Support the SOC in resolving security incidents; document security use cases with the SOC; implement, maintain and support those SOC infrastructure components hosted within the cloud infrastructure.
• Co -ordinate response to security incidents with the client's Cyber Security Incident Response Plan and ensure the Incident Manager and Service Delivery Manager are informed and aligned.
3.3 Assurance, audit and compliance:
• Treat information security issues, weaknesses or deficiencies identified by the client as Security Incidents under the client's Cyber Security Incident Response Plan.
• Provide client auditors with access to security documentation, configurations of security -enforcing technologies, standards and procedures.
• Collaborate with the client to plan and conduct annual PenTest and regular Disaster Recovery exercises.
• Ensure GDPR / DPA 2018 obligations are met; oversee data retention, secure disposal, lawful processing, and Data Protection Impact Assessments where required.
3.4 Technical security controls
• Define, document, agree and maintain Standard Operating Procedures for system administration and maintenance, with procedural controls per user role.
• Ensure authorisation controls prevent extraction of information assets without legitimate need.
• Ensure only client -issued devices are used to connect to the service in delivery.
• Maintain a data back -up policy aligned to Business Impact Assessment and the client's retention policy.
• Enforce removable -media scanning, network segregation, least -privilege access, location -based access controls, and unique user IDs.
• Ensure all Supplier work on the service is conducted exclusively from within the UK from client -approved secure areas.
3.5 Communications and notification
• Maintain regular communication with the client throughout the contract.
• Promptly notify the client of any changes to directors, key security personnel, business ownership (including acquisitions) or physical operating locations.
• Report any major security breaches within the Supplier's own ICT estate to the client.
4. Essential experience and skills
• Substantial experience as an accountable security owner on a UK Central Government managed -service contract handling OFFICIAL -SENSITIVE data.
• Deep working knowledge of NCSC HMG IAS5, NCSC Cyber Assessment Framework (CAF), Cyber Essentials Plus, ISO/IEC 27001, GDPR and DPA 2018.
• Hands -on experience integrating with a UK Government SOC, including SIEM reporting, security use case design and incident response co -ordination.
• Practical experience of Oracle Cloud security — OCI IAM, vault, network security, audit, PAM — and Oracle SaaS application security (HCM/ERP/EPM RBAC, segregation of duties, data masking).
• Experience commissioning and overseeing PenTesting, vulnerability management, and Disaster Recovery exercises in a UK Government context.
• Strong written communication for government -grade audit, assurance and governance reporting.
• Comfortable as a named security accountable individual in formal governance and contractual reporting.
5. Essential clearance and eligibility
• DV clearance and UK Nationality — contractually mandatory (PASS/FAIL). Pre -cleared candidates strongly preferred. Candidates without current DV may be considered only if SC -cleared with a credible DV application route through client sponsorship at the start of Transition.
• Willing and able to work exclusively from within the UK.
• Willing to attend client secure areas across the UK as required.
6. Desirable
• CISSP, CISM, CCP (CESG Certified Professional) IA Architect / IA Auditor / SIRA, or equivalent senior security certifications.
• Oracle Cloud Security certifications (OCI Security Professional, Oracle Cloud Identity & Security Architect).
• Prior experience of an Oracle ERP -on -OCI security model at scale (HCM, ERP, EPM, VBCS, BI/Analytics).
• Familiarity with UK Government security operating context, including overseas -network considerations, locally -engaged staff data, and HMG personnel security policy.
• Experience supporting PCI -DSS compliance where payment card data is in scope.
7. Personal attributes
• Authoritative without being abrasive — able to say 'no' to delivery pressure and explain why in business terms.
• Detail -oriented on policy, controls and evidence; pragmatic on operational trade -offs.
• Comfortable owning a named, individually -accountable role under public -sector contractual scrutiny.
• Visible collaborator with client security counterparts, third -party vendors, and internal service leadership.
Apply Now
Activate JobCopilot
Your email job alert is now active!