IMPORTANT NOTICE REGARDING APPLICATION DEADLINE: Please note that the closing date for submission of applications is indicated in local time as per the time zone of the applicant's location.
Organizational Setting
The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA's ICT infrastructure comprises hardware and software platforms, and cloud and externally-hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.
Main Purpose
The Chief Information Security Officer (CISO), reporting to the IAEA's Director of Information Technology/Chief Information Officer (DIR-MTIT/CIO) is accountable for the creation, implementation, and oversight of information security program and policies designed to reduce and mitigate information security risk across the Agency to a level tolerable to the organization. The CISO will establish and lead an enterprise-wide information security and assurance function, ensuring that confidentiality, integrity, and availability requirements of information systems and assets are identified and managed appropriately.
Role
The CISO is: (1) a leader, providing vision and direction, while inspiring the implementation of innovative security solutions and best practices that address the IAEA's priorities; (2) a manager of direct and indirect resources within the Division as well as across the Agency; and (3) an advisor to DIR-MTIT/CIO and to others throughout the Agency on matters in connection with information security.
Functions / Key Results Expected
Business alignment
Build sound business relationships across the Agency to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
Provide clear and timely business advice to executive management on key information security and assurance issues.
Ensure representation of relevant and adequate information security and risk on relevant business and governance forums is known, well-integrated, and addressed across the Agency.
Information Security Governance
Provide leadership, vision, direction and management to the various information and cyber security engineering and operations teams across the Agency, to the decentralised technical teams within departments and to the IAEA as a whole.
Oversee, implement and improve the IAEA's Information Security Management System (ISMS) including its policies, standards and processes and align them with ISO 27001.
Ensure that all IT and information security programs are in compliance with applicable laws, regulations, and policies.
Information Security Awareness
Create, manage, deliver the relevant information Security Awareness training to the staff, and review effective information security awareness training.
Information Security Risk management
Establish and manage an information security and risk management capability and framework across the organisation and align it with the IAEA's risk management strategy.
Develop and obtain management approval for short and long term strategies, roadmaps, and business cases to appropriately mitigate, detect, and deter information security threats.
Conduct information security risk assessments across the enterprise at suitable intervals.
Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives.
Regularly verify that required information security and risk controls are in place, raising findings as noncompliance is found and driving improvement.
Ensure that internal and external audits are supported in development of an annual strategic audit plan.
Security Architecture
Develop and maintain an effective information security architectural approach.
Ensure the consistent application of security standards across global technical infrastructure.
Liaise with enterprise architecture to ensure that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs.
Collaboratively engage with other IS functions and business representatives to facilitate a globally standardized approach and governance structure to information security and risk.
Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.
Security Engineering and Operations
While various units within IT have direct responsibility for Security Operations, the CISO has an oversight role for the following functions:
Establish processes, processes and appropriate staff training to respond to significant information security breaches in a timely and proactive manner.
Monitor, manage, and deploy security controls as appropriate to support business needs while minimizing risk.
Oversee the close management and analysis of security information and events.
Respond to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
Lead the effort to maintain an effective and timely program to manage identity and access privileges.
Competencies and Expertise
Core Competencies(Competency Framework) Name Definition ย Planning and Organizing Plans and organizes his/her own work in support of achieving the team or Sectionโs priorities. Takes into account potential changes and proposes contingency plans. ย Communication Communicates orally and in writing in a clear, concise and impartial manner. Takes time to listen to and understand the perspectives of others and proposes solutions. ย Achieving Results Takes initiative in defining realistic outputs and clarifying roles, responsibilities and expected results in the context of the Department/Divisionโs programme. Evaluates his/her results realistically, drawing conclusions from lessons learned. ย Teamwork Actively contributes to achieving team results. Supports team decisions.
Functional Competencies Name Definition ย Client orientation Helps clients to analyse their needs. Seeks to understand service needs from the clientโs perspective and ensure that the clientโs standards are met. ย Commitment to continuous process improvement Plans and executes activities in the context of quality and risk management and identifies opportunities for process, system and structural improvement, as well as improving current practices. Analyses processes and procedures, and proposes improvements. ย Technical/scientific credibility Ensures that work is in compliance with internationally accepted professional standards and scientific methods. Provides scientifically/technically accepted information that is credible and reliable.
Required Expertise Function Name Expertise Description ย ย ย Information Technology IT Security Extensive knowledge and experience in Information Security Systems. ย ย ย Information Management Information Architecture Extensive knowledge and experience in Information Security Architecture. ย ย ย Information Technology Information Security and Risk Management Extensive knowledge and experience in Information Security and Risk Management areas.
Qualifications, Experience and Language skills
- Advanced university degree in Computer Science, Engineering, Mathematics or related field of study.
- A University degree in Computer Science, Engineering, Mathematics or related field of study in combination with two additional years of relevant professional experience may be considered in lieu of the Advanced University Degree.
- CISSP, CISM, CISA, CRISC or other Information Security Credentials is preferred.
- A minimum of ten years of experience leading sizable information risk, security, and governance teams, transforming functions and changing culture.
- Experience with managing budgets to deliver demonstrable value.
- Experience with leading the response to incidents, crises, and investigations with sensitivity, tenacity, and a focus on detail.
- Experience in information security architecture, consultative stakeholder management, and strategic planning.
- Experience in an IT environment with significant outsourced and cloud models, and the appropriate contract and vendor negotiations.
- Experience with classified networks, information classification, and confidentiality requirements associated with high security environments.
- Excellent oral and written command of English. Knowledge of other official IAEA languages (Arabic, Chinese, French, Russian and Spanish) is an asset.
Remuneration
The IAEA offers an attractive remuneration package including a tax-free annual net base salary starting at US $92731 (subject to mandatory deductions for pension contributions and health insurance), a variable post adjustment which currently amounts to US $ 52764*, dependency benefits, rental subsidy, education grant, relocation and repatriation expenses; Other benefits include 6 weeks' annual leave, home leave travel, pension plan and health insurance. More information on the conditions of employment can be found at: https://www.iaea.org/about/employment/professional-staff/conditions
General Information
- The IAEA's paramount consideration in the recruitment of staff member is to secure employees of the highest standards of efficiency, technical competence and integrity.
- Staff Members shall be selected without any unfair treatment or arbitrary distinction based on a person's race, sex, gender, sexual orientation, gender identity, gender expression, religion, nationality, ethnic origin, disability, age, language, social origin or other similar shared characteristic or trait.
- The IAEA is committed to gender equality and to promoting a diverse workforce. Applications from qualified women and candidates from developing countries are strongly encouraged.
- Applicants should be aware that IAEA staff members are international civil servants and may not accept instructions from any other authority. The IAEA is committed to applying the highest ethical standards in carrying out its mandate. As part of the United Nations common system, the IAEA subscribes to the following core ethical standards (or values): Integrity, Professionalism and Respect for diversity.
- The IAEA has a zero-tolerance policy on conduct that is incompatible with the aims and objectives of the United Nations and the IAEA, including sexual harassment, abuse of authority and discrimination.
Evaluation process
- The evaluation of applicants will be conducted on the basis of the information submitted in the application according to the selection criteria stated in the vacancy announcement. Applicants must provide complete and accurate information. Evaluation of qualified candidates may include an assessment exercise, which may be followed by a competency-based interview.
- Candidates under serious consideration for selection may be subject to reference and background checks as part of the recruitment process.
Appointment information
- Appointment is subject to a satisfactory medical report.
- Staff members may be assigned to any location.
- Candidates appointed to posts in the Professional and higher categories are subject to IAEA rotation policy and their maximum tour of service shall normally be seven years.
- The IAEA retains the discretion not to make any appointment to this vacancy, to make an appointment at a lower grade or with a different contract type, or to make an appointment with a modified job description or for shorter duration than indicated above.