Ict Security Risk Manager Consultant

**TECHNICAL ANNEX**

In the context of developing a new Single Resolution Mechanism system, the objective of this mission is to request services of an ICT Security Risk Manager Consultant that will support the SRB in defining and initiating a second line of defence ICT Security function.

The SRB has an active ICT Security function within the ICT Operations team, and the SRB has defined its ICT Security Framework composed of policies, procedures, guidelines, baselines and processes. However, the SRB has not implemented a second line function for ICT security that would be independent from ICT operations and monitor in a comprehensive manner the implementation of policies, baselines and controls.The consultant is requested to help the SRB in defining the role and tasks of a future ICT Security Risk Manager assuming the second line of defence in ICT Security, and performing the first tasks as prioritised and agreed with the SRB.

**PROVISIONAL DESCRIPTION OF THE WORK**
The following services will be provided:

- Define the roles and responsibilities of the second line ICT Security Risk Manager and ICT Operations/Security in line with the three lines of defence model (see an illustration of the split of first and second line of defence in annex);
- Define a roadmap for the implementation of the second line of defence function for ICT security;
- Define internal procedures and templates for the execution of the duties of the ICT Security Risk Manager;
- Perform tasks of the second line of defence for ICT security such as:

- In cooperation with the IT Security team, review the ICT Security Framework of the SRB;
- Review the execution and results of penetration tests and other security assessments performed or procured by the ICT Security team;
- Generally monitor, and report on, the implementation of the ICT Security policies, baselines and controls by the SRB;
- Assist in defining the SRB ICT security risk appetite and tolerance;
- Take on additional tasks as required in the interest of the service.
- The consultant will work in cooperation with the first line ICT security team and in general the ICT unit, but will produce his/her deliverables for the Head of Unit of Human Resources
**KNOWLEDGE AND SKILLS**

Knowledge and skills required for an ICT Security Risk Manager Consultant level 5 are:

- The ability to work independently but in good cooperation with others;
- A ‘can-do’ attitude;
- The ability to take decisions under pressure;
- The ability to focus on service and results, always with strong motivation;
- Flexibility and innovation.

Desirable:

- Knowledge of security policies and guides on handling EU classified information or equivalent high security environments;
- Excellent skills in drafting IT documentation;
- SANS or OSCP IT Security Certifications;
- Scripting ability;
- Knowledge of Cisco network devices such as ASA firewalls, ISE, Web Security Appliance, etc. is a plus.
**SPECIFIC EXPERTISE**

ICT Security Risk Manager Consultant level 5 with a minimum:

- Corresponding level of education as specified in Annex 5 of the Tender Specifications;
- 13 years of professional experience acquired in positions related to the profile of the post The consultant will be required to demonstrate that he/she has:

- Knowledge of ICT security logging and monitoring;
- Knowledge of ICT security incident management;
- Knowledge of ICT security vulnerability and patch management;
- Knowledge of access management;
- Experience in implementing ICT security and audits policies;
- Experience in ICT security risk management, and generally in governance, risk and control frameworks;
- Experience is setting up or managing second line ICT security risk management functions;
- Experience in reporting to senior management;
- An excellent knowledge of English.
**WORK ENVIRONMENT/CONDITIONS**
- All work, meetings and presentations will be held in SRB’s premises.
- All deliverables will be written in English and meetings will be conducted in English.