Organizational Setting

The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA's ICT infrastructure comprises hardware and software platforms, and cloud and externally-hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.

 

Main Purpose

The Chief Information Security Officer (CISO), reporting to the IAEA's Director of Information Technology/Chief Information Officer (DIR-MTIT/CIO) is accountable for the creation, implementation, and oversight of information security program and policies designed to reduce and mitigate information security risk across the Agency to a level tolerable to the organization. The CISO will establish and lead an enterprise-wide information security and assurance function, ensuring that confidentiality, integrity, and availability requirements of information systems and assets are identified and managed appropriately.

 

Role

The CISO is: (1) a leader, providing vision and direction, while inspiring the implementation of innovative security solutions and best practices that address the IAEA's priorities; (2) a manager of direct and indirect resources within the Division as well as across the Agency; and (3) an advisor to DIR-MTIT/CIO and to others throughout the Agency on matters in connection with information security.

 

Functions / Key Results Expected

Business alignment
Build sound business relationships across the Agency to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
Provide clear and timely business advice to executive management on key information security and assurance issues.
Ensure representation of relevant and adequate information security and risk on relevant business and governance forums is known, well-integrated, and addressed across the Agency.

Information Security Governance
Provide leadership, vision, direction and management to the various information and cyber security engineering and operations teams across the Agency, to the decentralised technical teams within departments and to the IAEA as a whole.
Oversee, implement and improve the IAEA's Information Security Management System (ISMS) including its policies, standards and processes and align them with ISO 27001.
Ensure that all IT and information security programs are in compliance with applicable laws, regulations, and policies.

Information Security Awareness
Create, manage, deliver the relevant information Security Awareness training to the staff, and review effective information security awareness training.

Information Security Risk management
Establish and manage an information security and risk management capability and framework across the organisation and align it with the IAEA's risk management strategy.
Develop and obtain management approval for short and long term strategies, roadmaps, and business cases to appropriately mitigate, detect, and deter information security threats.
Conduct information security risk assessments across the enterprise at suitable intervals.
Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives.
Regularly verify that required information security and risk controls are in place, raising findings as noncompliance is found and driving improvement.
Ensure that internal and external audits are supported in development of an annual strategic audit plan.

Security Architecture
Develop and maintain an effective information security architectural approach.
Ensure the consistent application of security standards across global technical infrastructure.
Liaise with enterprise architecture to ensure that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs.
Collaboratively engage with other IS functions and business representatives to facilitate a globally standardized approach and governance structure to information security and risk.
Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.

Security Engineering and Operations
While various units within IT have direct responsibility for Security Operations, the CISO has an oversight role for the following functions:
Establish processes, processes and appropriate staff training to respond to significant information security breaches in a timely and proactive manner.
Monitor, manage, and deploy security controls as appropriate to support business needs while minimizing risk.
Oversee the close management and analysis of security information and events.
Respond to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
Lead the effort to maintain an effective and timely program to manage identity and access privileges.

Qualifications, Experience and Language skills

  • Advanced university degree in Computer Science, Engineering, Mathematics or related field of study.
  • A University degree in Computer Science, Engineering, Mathematics or related field of study in combination with two additional years of relevant professional experience may be considered in lieu of the Advanced University Degree.
  • CISSP, CISM, CISA, CRISC or other Information Security Credentials is preferred.
  • A minimum of ten years of experience leading sizable information risk, security, and governance teams, transforming functions and changing culture.
  • Experience with managing budgets to deliver demonstrable value.
  • Experience with leading the response to incidents, crises, and investigations with sensitivity, tenacity, and a focus on detail.
  • Experience in information security architecture, consultative stakeholder management, and strategic planning.
  • Experience in an IT environment with significant outsourced and cloud models, and the appropriate contract and vendor negotiations.
  • Experience with classified networks, information classification, and confidentiality requirements associated with high security environments.
  • Excellent oral and written command of English. Knowledge of other official IAEA languages (Arabic, Chinese, French, Russian and Spanish) is an asset.
Technical Skills
Is a Remote Job?
No
Employment Type
Full time

The International Atomic Energy Agency (IAEA) was set up as the world’s “Atoms for Peace” organization within the United Nations family. From the beginning, it was given the mandate to work with its...

Apply Now