Information Risk Officer

[afotakel]

https://wipo.taleo.net/careersection/wp_2/jobdetail.ftl?lang=en&job=16272%20(TA)

 

Information Risk Officer - 16272 (TA)

Information Security Section, Security and Information Assurance Division, Administration and Management Sector

Grade - P3

Contract Duration - 12 months

Duty Station : CH-Geneva

Publication Date : 06-Jul-2016   Application Deadline : 01-Aug-2016, 11:59:00 PM

 

1.  Organizational Context

 

The position is located in the Security and Information Assurance Division (SIAD).

 

The Division is responsible for the management of all aspects of WIPO’s information and physical security and safety and ensures that appropriate policies and procedures are in place and effective measures and controls are established to assess and mitigate threats/risks to the Organization. In particular, the Division defines the controls for the implementation of information security instruments and monitors if adequate assurance is maintained over WIPO’s information assets.  The Division also provides professional safety and security services for WIPO staff, its delegates and visitors and ensures the protection of the Organization’s facilities and assets. Appropriate balance of the roles between “service” and “control” is the key for its success in enabling and sustaining WIPO’s operations in an environment with increasing demands for openness and connectivity on the one hand and rapidly evolving information security risks on the other hand.

 

The incumbent as Information Risk Officer will provide information risk management and IT security expertise. The expertise will take the form of risk analysis, consultancy, policy, standards and best practice guidance, and process improvements. The incumbent will be required to work with project teams, service providers, and business units internal and external to WIPO. The incumbent is expected to bring pragmatic risk management experience allowing WIPO to meet its present and emergent business needs but in compliance to WIPO’s information security polices and standards and within risk tolerance. The incumbent is expected to guide and advise technology and business personnel regarding the value and methods of safeguarding information, applications, systems, infrastructure, and activities to help ensure that technologies function optimally and work practices are optimized so that the information risks are managed.

The incumbent works under the supervision of the Head of Information Security Section.

 

2.  Duties and responsibilities

 

Establish and maintain governance and risk management processes for performing information security risk assessments (Certification and Accreditation) of projects, new technologies, external service providers, and ICT changes. Guide staff and managers on appropriate information risk mitigation options and strategies.

 

Effectively communicate requirements and train staff and managers in ICT and business application divisions to identify and manage risks throughout the project lifecycle.  Conduct quality assurance reviews of security requirements and audit recommendations for the implementation of identified solutions.

 

Design, implement and maintain an integrated IT Governance Risk and Compliance (GRC) architecture, tools and techniques to manage and report risks. Analyze, recommend and implement process improvements within the context of information security.

 

Coordinate the engagement and risk management processes with external risk assessment service providers and acts as a liaison with internal ICT project teams and business units.

 

Monitor and drive mitigation of identified risks through force follow-up and follow-through with lines of business and ICT stakeholders.

 

Communicate and report on risk metrics to management and governance groups. Coordinate and support the work of information security governance.

 

Support WIPO's ISO 27001 certification by promoting self-compliance to policies and standards by ICT staff and managers. Keep abreast of international information security codes of practice such as ISO 27001/27002, COBIT, information security and privacy regulations and how these measures could affect information assets owned by, or administered on behalf of, WIPO.

 

Assist with the development of WIPO's enterprise security architecture standards at the business, information, infrastructure, and application level.

As an advocate of information security, work closely and proactively with ICT, project team leaders, service providers, and the business to provide security-related technical solutions.

Identify opportunities to improve business practices or ICT security-related processes.

 

Perform out any other duties as assigned.

 

3.  Requirements

 

Education:

 

Essential

First-level university degree in information security, computer science, engineering, mathematics, business or related discipline.

Certifications in information security - CISSP and/or CRISC.

 

Desirable

Additional certifications like CISM, CIPP, CISA, CISSP-ISSEP, CISSP-ISSEP, or ISO27001 Lead Auditor/Implementer.

Advanced university degree in information security, computer science, engineering, mathematics, business or related discipline.

 

Experience:

Essential

 

At least six years’ relevant professional experience in regulated industries (preferably financial or Intellectual property) working as an Information Risk Officer or similar for medium to large organizations facing multiple and sophisticated threats.

 

Experience in integrating information risk management into system development, project management, and service management lifecycles.

 

Experience in establishing and maintaining an effective Information Security Management System (ISMS) certified to ISO 27001: 2013.

 

Experience in monitoring and managing external service providers’ delivery against service level targets.

 

Desirable

Experience in managing IT Security - in the areas of identity and access management, infrastructure, network, endpoints, applications, database system technologies, mobility, cloud, virtualization security architectures, and information security process improvement.

 

Languages:

 

Essential

Excellent written and spoken knowledge of English.

 

Desirable

Knowledge of other UN official languages, particularly French.

 

Job-related competencies

 

Essential

Familiarity with a broad range of technologies supplemented by in-depth knowledge in specific areas of relevance. Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals.

 

Analytical skills that enable synthesis and correlation of inputs from many sources, and allow for strategic thinking and tactical implementation. Ability to establish and maintain effective partnerships and working relations in a multi-cultural environment with sensibility and respect for diversity.

 

Good organizational and interpersonal skills to influence others towards a shared vision and positive results with or without the line of command.

 

Excellent written and verbal communication skills that are compelling, convincing and reassuring, with the ability to articulate complex technical ideas to non-technical stakeholders.

 

Personal drive, ownership and accountability to meet deadlines and achieve results.

 

Knowledge and/or skills in the following areas: (i) risk management and control frameworks including ISO 27005, ISO 31000, NIST SP 800-53, COSO, and COBIT; (ii) IT GRC tools; and (iii) security architecture principles and models like SABSA, Zachman or TOGAF.

 

Desirable

 

Knowledge and/or skills in the following areas: (i) identity and access management technologies; (ii) managed security operations (iii) web services security; (iv) infrastructure security: n-tier architectures, firewalls, intrusion detection/prevention tools, endpoint security, application whitelisting, network admission controls, policy detection and enforcement controls, web application firewalls, proxies, SOA firewalls, reverse proxies, server and network security controls (Windows/LINUX/AIX),  database security (SQL DB/Oracle); (v) application security processes and methodologies- Secure SDLC, OWASP; (vi) Incident management techniques and processes; and (vii) mobile and cloud security

 

4.  Organizational Competencies

 

1. Communicating effectively.
2. Respecting individual and cultural differences.
3. Showing team spirit.
4. Managing yourself.
5. Producing results.
6. Embracing change.
7. Respecting ethics and values.

 

5. Information

 

Annual salary:

 

Total annual salary consists of a net annual salary (net of taxes and before medical insurance and pension fund deductions) in US dollars and a post adjustment.  The post adjustment (cost of living allowance) is variable and subject to change without notice in accordance with the rates as set within the UN Common System for salaries and allowances.  The figures quoted below are based on the July 2016 rate of 85.9%.

 

 

 

P3

With Dependants

No Dependants

 

Annual salary

      $61'470

$57’379

 

Post adjustment

      $52'803

$49’289

 

Total Salary

      $114’273

$106’668

 

Currency USD

 

 

 

 

Salaries and allowances are paid in Swiss francs at the official rate of exchange of the United Nations (not applicable for the External Offices).

 

Please refer to WIPO’s Staff Regulation and Rules for detailed information concerning salaries, benefits and allowances.

 

 

Additional Information

 

By completing an application, candidates understand that any willful misrepresentation made on this web site, or on any other documents submitted to WIPO during the application, may result in disqualification from the recruitment process, or termination of employment with WIPO at a later date, if that employment resulted from such willful misrepresentations.

 

In the event that your candidature is shortlisted, you will be required to provide, in advance, a scanned copy of an identification and of the degree(s)/diploma(s)/certificate(s) required for this position. WIPO only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU) / United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link: http://www.whed.net/. Some professional certificates may not appear in the WHED and these will be reviewed individually.

 

Temporary appointments are renewable, subject to continuing needs, availability of budget and satisfactory performance with a maximum cumulative length of two years.

 

_________________________________________________________________________

 

Additional testing/interviewing may be used as a form of screening. Initial appointment is subject to a satisfactory medical examination.

 

Additional background checks may be required.