Lead Vulnerability Assessor (PROJ-4280)

Job Duties and Responsibilities:

• Liaise with multiple project and capability stakeholders to assist in design and documentation of ICT system security controls Evaluation Team.
• Contribute to design of ICT Security policy and documentation, and implement practices, technologies and governance.
• Analyse and assess ICT system security documentation and configuration, including the use of vulnerability assessment tools.
• Undertake ICT security threat and risk assessment and develop appropriate security documentation to gain certification.
• Support the operation of the IT security team by providing the following services:
• IT security education and outreach.

** Leadership on IT security related matters and issues.

** Assist in the Continuous improvement processes.

** Stakeholder engagement on security-related matters.

• Lead and perform forensically sound very complex security investigations on a wide array of assets and devices that directly relate to security infrastructure, in accordance with the established procedures.
• Accountable to conduct investigations which may be as the result of a security incident or by direction from senior leadership.
• Assess and explain very complex threat profiles of a variety of electronic devices, as relevant across the Australian Signals Directorate.
• Lead analytical processes to identify and recommend actions to maintain and improve the integrity of the ICT infrastructure.
• Communicate and provide authoritative advice and guidance on strategies to improve the Australian Signals Directorate ICT security and mitigate risk of devices compromising that security.
• Interpret and comply with relevant policy governing ICT security in the Australian Signals Directorate, both internal and whole-of-Government, including legislation that underpins digital security and online privacy.
• Evaluate and assist with the application and compliance of security controls and review information systems for actual or potential security vulnerabilities.
• Adopt and adapt appropriate systems design methods, tools and techniques selecting appropriately from predictive (plan-driven) approaches or adaptive (iterative/agile) approaches, and ensure they are applied effectively.
• Review and make recommendations and assess and manage associated risks of others' systems designs to ensure selection of appropriate technology, efficient use of resources, and integration of multiple systems and technology.
• Contribute to development of systems design policies and standards and selection of architecture components.

Essential criteria:

• Compliance Monitoring and Controls Testing: Level 5 (CIISEC)

Leads teams conducting compliance monitoring and/or controls testing, reporting findings to middle management; escalates issues as appropriate.

• Internal and Statutory Audit: Level 5 (CIISEC)

Leads teams of auditors conducting internal or external audits. Produces and agrees plans for each audit. Agrees solutions and actions with management.

• Intrusion Detection and Analysis: Level 2 (CIISEC)

Can explain the basic principles involved in monitoring network and system activity for anomalous behaviour and how the results can be used. This might include experience of applying these principles in a training or academic environment, for example through participation in syndicate exercises, undertaking practical exercises, and/or passing a test or examination.

Desirable criteria:

• Risk Assessment: Level 4 (CIISEC)

Undertakes complex risk assessments with supervision, either as an individual or a member of a team.

• Security Evaluation and Functionality Testing: Level 5 (CIISEC)

Leads Security Evaluation or Functionality Testing teams.