IMPORTANT NOTICE REGARDING APPLICATION DEADLINE: please note that the deadline for applications is indicated in local date and time.
Subject to the applicable conditions and procedures, a non-pensionable recruitment incentive of 29,000 USD (in case of an initial appointment of two years) may be paid to the selected candidate. The incentive shall not be payable to staff members a) who are appointed in the framework of an inter-agency agreement, who are recruited from another organization of the United Nations common system outside the framework of an inter-agency agreement or c) who had been previously appointed with a recruitment incentive by another organization of the United Nations common system within five years of the deadline for application.
1. Organizational Context
a. Organizational Setting
The Division is responsible for the management of all aspects of WIPO's information and physical security and safety and ensures that appropriate policies and procedures are in place and effective measures and controls are established to assess and mitigate threats/risks to the Organization. As part of the Division, the Information Security Section defines the controls for the implementation of information security instruments and monitors if adequate assurance is maintained over WIPO’s information assets.
The Division also provides professional safety and security services for WIPO staff, its delegates and visitors and ensures the protection of the Organization's facilities and assets. Appropriate balance of the roles between 'service' and 'control' is the key for its success in enabling and sustaining WIPO's operations in an environment with increasing demands for openness and connectivity on the one hand and rapidly evolving information security risks on the other hand.
b. Purpose Statement
The Information Risk Officer provides information risk management and IT security expertise in the form of risk analysis, consultancy, policy, standards and best practice guidance, as well as process improvements.
The incumbent works with project teams, service providers (internal and external to WIPO), and internal business units. The incumbent is expected to bring pragmatic risk management experience allowing WIPO to meet its present and emerging business needs, in compliance with WIPO's information security policies and standards and within risk tolerance.
The incumbent guides and advises technology and business personnel on the value and methods of safeguarding information, applications, systems, infrastructure, and activities to help ensure that technologies function optimally and work practices are optimized so that the information risks are managed. The incumbent also manages the implementation and operations of a multi-module Information Security governance, risk and compliance (GRC) tool.
c. Reporting Lines
The incumbent works under the supervision of the Head of Information Security Section.
2. Duties and Responsibilities
The incumbent will perform the following principal duties:
a. Establish and maintain governance and risk management processes for performing information security risk assessments (Certification and Accreditation) of projects, new technologies, external service providers, and changes to information and communication technology (ICT). Guide staff and managers on appropriate information risk mitigation options and strategies.
b. Effectively communicate requirements and train staff and managers in ICT and business application divisions to identify and manage risks throughout the project lifecycle. Conduct quality assurance reviews of security requirements and audit recommendations for the implementation of identified solutions.
c. Design, implement and maintain an integrated IT GRC architecture, tools and techniques to manage and report risks. Analyze, recommend and implement process improvements within the context of information security.
d. Coordinate the engagement and risk management processes with external risk assessment service providers and acts as a liaison with internal ICT project teams and business units.
e. Monitor and drive mitigation of identified risks through force follow-up and follow-through with lines of business and ICT stakeholders.
f. Communicate and report on risk metrics to management and governance groups. Coordinate and support the work of information security governance.
g. Support WIPO's ISO 27001 certification by promoting self-compliance to policies and standards by ICT staff and managers. Keep abreast of international information security codes of practice such as ISO 27001/27002, COBIT, information security and privacy regulations; and how these measures could affect information assets owned by, or administered on behalf of, WIPO.
h. Provide substantive input into the development of WIPO's enterprise security architecture standards at the business, information, infrastructure, and application level.
i. As an advocate of information security, work closely and proactively with ICT, project team leaders, service providers, and the business to provide security-related technical solutions; identify opportunities to improve business practices or ICT security-related processes.
j. Perform any other duties as assigned.
First-level university degree in information security, computer science, engineering, mathematics, business or related discipline. An advanced university degree in a relevant discipline may substitute two years’ of required experience.
Certifications in information security risk management such as CISSP or CRISC.
Additional certifications like CISM, CIPP, CISA, CISSP-ISSEP or ISO27001 Lead Auditor/Implementer.
At least six years’ relevant professional experience including in regulated industries (preferably financial or intellectual property) working in an information risk role or similar for medium to large organizations facing multiple and sophisticated threats.
Experience in integrating information risk management into system development and service management lifecycles.
Experience maintaining an effective Information Security Management System (ISMS) certified to ISO 27001: 2013.
Experience in monitoring and managing the delivery and performance of external service providers.
Experience in managing the deployment and operations of an integrated Information Security GRC solution.
Project management experience.
Experience in managing IT Security - in the areas of identity and access management, infrastructure, network, endpoints, applications, database system technologies, mobility, cloud, virtualization security architectures, and information security process improvement.
Excellent written and spoken knowledge of English.
Knowledge of other UN official languages, particularly French.
Job Related Competencies
Familiarity with a broad range of technologies supplemented by in-depth knowledge in specific areas of relevance.
Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals.
Strong problem-solving and analytical skills.
Excellent organizational skills with the ability to prioritize work assignments and to meet deadlines.
Excellent interpersonal skills and ability to maintain effective partnerships and working relations in a multi-cultural environment with sensitivity and respect for diversity.
Excellent written and verbal communication skills, with the ability to articulate complex technical ideas to non-technical stakeholders.
Vendor management skills.
Knowledge and/or skills in the following areas: (i) risk management and control frameworks including ISO 27005, ISO 31000, NIST SP 800-53, COSO, and COBIT; (ii) IT GRC tools; and (iii) security architecture principles and models like SABSA, Zachman or TOGAF.
Knowledge and/or skills in the following areas: (i) identity and access management technologies; (ii) managed security operations (iii) web services security; (iv) infrastructure security: n-tier architectures, firewalls, intrusion detection/prevention tools, endpoint security, application whitelisting, network admission controls, policy detection and enforcement controls, web application firewalls, proxies, SOA firewalls, reverse proxies, server and network security controls (Windows/LINUX/AIX), database security (SQL DB/Oracle); (v) application security processes and methodologies-Secure SDLC, OWASP; (vi) Incident management techniques and processes; and (vii) mobile and cloud security.
4. Organizational Competencies
1. Communicating effectively.
2. Showing team spirit.
3. Demonstrating integrity.
4. Valuing diversity.
5. Producing results.
6. Showing service orientation.
7. Seeing the big picture.
8. Seeking change and innovation.
9. Developing yourself and others.
Mobility: WIPO staff members are international civil servants subject to the authority of the Director General and may be assigned to any activities, office or duty station of the Organization. Accordingly, the selected candidate may be required to move from time to time to new functions and/or to another duty station.
Total annual salary consists of a net annual salary (net of taxes and before medical insurance and pension fund deductions) in US dollars and a post adjustment. The post adjustment (cost of living allowance) is variable and subject to change without notice in accordance with the rates as set within the UN Common System for salaries and allowances. The figures quoted below are based on the January 2019 rate of 69.4%
Salaries and allowances are paid in Swiss francs at the official rate of exchange of the United Nations.
Please refer to WIPO’s Staff Regulation and Rules for detailed information concerning salaries, benefits and allowances.
* Initial period of two years, renewable, subject to satisfactory performance. No fixed-term appointment or any extension hereof shall carry with it any expectancy of, nor imply any right to, (further) extensions or conversion to a permanent appointment.
This vacancy announcement may be used to fill other posts at the same grade with similar functions in accordance with Staff Rule 4.9.5.
Applications from qualified women as well as from qualified nationals of unrepresented Member States of WIPO and underrepresented geographical regions are encouraged. Please click on the following links for the list of unrepresented Member States and the list of underrepresented regions and the WIPO Member States in these regions.
The Organization reserves the right to make an appointment at a grade lower than that advertised.
By completing an application, candidates understand that any willful misrepresentation made on this web site, or on any other documents submitted to WIPO during the application, may result in disqualification from the recruitment process, or termination of employment with WIPOat a later date, if that employment resulted from such willful misrepresentations.
In the event that your candidature is shortlisted, you will be required to provide, in advance, a scanned copy of an identification and of the degree(s)/diploma(s)/certificate(s) required for this position. WIPO only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU) / United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link: http://www.whed.net/. Some professional certificates may not appear in the WHED and these will be reviewed individually.
Additional testing/interviewing may be used as a form of screening. Initial appointment is subject to satisfactory professional references.
Additional background checks may be required.