Information Security Management Specialist

**Location**:
Brussels, Belgium

**Security Clearance**:
EU Restricted

**Introduction**:
Information Security Management Service aims to ensure the confidentiality, integrity, and availability of the Contracting EU Institutions’ (EU-Is') information, data, and ICT services. This service relies on the identification of the Contracting EU-I's assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets. It shall concentrate on the prevention aspect also by capitalizing on the lessons and recommendations learned from passed incidents and recurring security assessments.

Based on the overarching cyber defence and information security strategies, this service involves the design and definition of a sound corporate information security policy framework and is responsible for the implementation of the underlying information security management system. The Information Security Management Specialist will be expected to manage security deployment across all information systems, to ensure the provision of information availability, integrity, and confidentiality, and will be recognized as an ICT security policy expert by the internal and external stakeholders.

**Skills, knowledge, experience required**:

- Minimum 3 years’ experience in:

- Definition/design and implementation of an information security management system (ISMS);
- Writing:

- Security policies;
- Security operating procedures;
- Identity and access management;
- Minimum 5 years’ experience in:

- Risk assessment;
- Security audit/assessment;
- At least 1 certification among:

- CISSP (Certified Information Systems Security Professional);
- CISA (Certified Information Systems Auditor);
- CISM (Certified Information Security Manager);
- GSNA (GIAC Certified Systems and Network Auditor);
- GCCC (GIAC Certified Critical Controls);
- CAP ((ISC)2 Certified Authorization Professional);
- CRISC (ISACA Certified in Risk and Information Systems Control);
- Minimum 3 years’ experience with at least 1 of the following risk assessment methodologies:

- EBIOS;
- CRAMM;
- PILAR;
- Minimum 5 years’ experience with ISO 2700X standards;
- Minimum 8 years’ experience in:

- Networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.);
- ISO 27001 implementation and auditing;
- Cryptography;
- Public key infrastructure (PKI) and hardware security module (HSM) operations;
- Minimum 3 years’ experience with:

- MS Windows operating systems;
- Linux operating systems (Red Hat, Debian).

**Desirable**:

- At least 1 certification among:

- CISSP-ISSMP ((ISC)2 Certified Information Systems Security Management Professional);
- GIAC Certified ISO-27000 Specialist;
- Minimum 5 years’ experience with:

- NIST Special Publication (SP) 800 series;
- CyberArk Enterprise Password Vault (EPV);
- CyberArk Privileged Session Manager (PSM);
- RSA Identity Management and Governance (IMG);
- SailPoint IdentityIQ;
- Minimum 3 years’ experience with:

- Storage (NetApp);
- Networking (Cisco IOS);
- VMware vSphere and ESXi.

**Duties/role**:

- Contributing to development of the Contracting EU-I's cyber defence and information security strategies;
- Drafting information security policies, standards, and guidelines;
- Defining, designing, and maintaining a sound information security management system (ISMS);
- Managing security processes and ensuring the production of ISMS records required to get or maintain a certification;
- Managing the procedures to classify information and assets;
- Performing risks assessments and analysis to identify threats, categorise the assets, and rate system vulnerabilities so that they can implement effective controls;
- Contributing to integration of IT security during a complete project lifecycle for development of IT services and systems, products, and solutions (security by design model);
- Drafting security plans and security operating procedures;
- Integrating security technical controls into systems, solutions, and services;
- Managing information security risks and system certification and accreditation;
- Identifying the threats and assessing effectiveness of the existing controls to face those threats;
- Informing and raising awareness;
- Ensuring promotion of the IT security charter;
- Inspecting and ensuring that the principles and rules for information security are applied;
- Providing guidance on information security;
- Elaborating plans and preparing and documenting releases and maintenance activities (such as patches and software upgrades) which are required to keep a system running at an optimised security condition;
- Assessing compliance of the deliverables related to identity and access management for projects and activities, which shall take place in the context of the operational security acceptance and security testing processes;
- Assessing, proposing, and implementing efficiency gains in the identity and access management processes;
- Man