3065 Siem (Splunk) Sme

SIEM Infrastructure Management
- Cybersecurity
- Iterative approach using sprints.

**Required Security Clearance**: NATO Secret

**Scope of Work**
The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of CYBER SECURITY Support in SIEM (Splunk) infrastructure management and log collection.

VISION and EXPECTED OUTCOMES (Deliverables)
Under the direction of the CSDE Cell Head, SEC007 SDM or delegated authority, the SIEM SME will be the part of the NCSC Team supporting the following activities:
Log collection
- Manage log collection of new data log sources in SIEM which includes, but is not limited to, log ingestion process from various data sources located on premise or in the cloud, data mapping to Splunk Common Information Model, integration with existing Splunk data models, testing log ingestion, validating log ingestion quality with stakeholders.
- Document all relevant information in Confluence in accordance with CSDE standards
- Coordinate such activity with CSDE team and T3 customers

Service availability and monitoring
- Act as one of the engineers and Subject Matter Expert (SME) for SIEM and Log Collection services within the Cyber Security Data team
- Monitoring the availability and performance of the SIEM environment including log collection
- Detecting and reporting to SDM any service degradation
- Taking appropriate actions to restore the environment to a fully operational state when a problem is detected.
- Following best practices for maintaining the Splunk environment in a stable and reliable state with the objective of preventing any service degradation
- Ensure that data security systems operate within any KPI’s, as defined in Service Level Agreements with NCSC customers

Change management
- Follow NCSC Change management process to get approval before implementing changes. This includes, but is not limited to, creating the change request, ensure all necessary information is provided in due diligence, following up the change request to ensure quick approval, attending to CAB meeting when necessary, providing impact assessment when required.
- Coordinate all these changes with CSDE and external teams.
- Develop and maintain documentation guidelines, standard operating procedures, system and service design documents and other relevant documentation that support management of the data security systems.

Outcome
- Assigned tasks shall be completed within the time allocated for this task by the requestor in the NCSC ticketing system(s). In case of an external request, the time to consider will be the time allocated by the CSDE cell head, the SDM or one of their delegated authorities.

5.4 Reporting and advisory role
- Attending meeting when there is a need for representing the cell, for providing technical advice or for reporting relevant information to the team or other stakeholders.
- Reporting any relevant information to the cell head, the SDM or other team members.

Providing support to customers
- Provide support to customers (mainly security analysts but not limited to them) facing issues or needing technical assistance

**Skills, Knowledge Experience**

The Operation and Maintenance Expert in SIEM (Splunk) infrastructure management and log collection must have demonstrated skills, knowledge and experience as listed below:

- A good understanding of IT Security.
- At least 2 years of relevant experience and strong technical skills in administering, deploying, installing, configuring and maintaining large distributed Splunk Enterprise environment.
- Good programming skills in at least one of these languages: Ansible.python or bash.
- A good understanding of networking and various protocols such as TCP/IP, HTTP(S), DNS.
- Ability to work autonomously.
- Accuracy and attention to detail.
- Each team member shall be dressed suitably for meetings with high ranked officials.
- Strong reporting skills to various levels of seniority.
- Language Proficiency: A thorough knowledge of English language, both written and spoken, is essential.
- Responsible for complying with all applicable local employment laws, in addition to following all SHAPE & NCIA on boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.
- The service provider shall be required to provide services on NCIA working days.