Senior Security Assessor Cyber Advisors (PROJ-4535)

Key duties and responsibilities

The Cloud Security Assessor will perform the following duties and responsibilities:

• Work in close collaboration with the ATO team counterparts to plan, conduct and deliver security assessments of component parts of the TS Cloud platform, Cloud Service Provider (CSP) Services and other cloud adoption technologies. Security assessments will consider the involvement of people, processes and technologies in each component and will yield a high level of overall security assurance commensurate with the TS classification of the solution.
• Identify and engage relevant NIC and CSP security authorities, subject matter experts and business stakeholders in security assessment activities, via face-to-face, written and online communications channels. Ensure that assessment outcomes are comprehensive, complete, defensible and clearly communicated to the right stakeholders, at the right time and at the right level of detail.
• Conduct cloud security assessments methodically and in accordance with a defined ATO team process aligned with the Information Security Manual’s risk-based approach to cyber security. That process features key steps including:

• Information gathering and analysis leveraging CSP, industry and open sources
• Defining and modelling the component to be assessed
• Modelling security threats to the component to be assessed by drawing upon personal knowledge, stakeholder expertise, and classified and open-source threat information
• Identifying security controls implemented by the component and assessing their effectiveness against identified threats
• Assessing security risk of the component using ASD’s established enterprise risk assessment framework and, where necessary, recommending additional security controls to reduce security risk
• Producing cloud security assessment artefacts contributing to the TS Cloud ATO body of evidence and informing business risk acceptance and authorisation decisions by relevant governance bodies and security authorities.

Essential criteria

• First-hand experience conducting and delivering security risk assessments for large and complex technology solutions, in line with the Protective Security Policy Framework and Information Security Manual.
• Ability to communicate security threats, risks, mitigations and recommendations clearly and with influence – in verbal and written form – to a broad spectrum of stakeholders. Stakeholders include but are not limited to peer groups, technical specialists, security authorities, system owners, business owners and senior executives.
• Comfortable working in a team environment with common goals and priorities. Responsive to tasking and priorities from a team leader or project manager, adheres to guidance and quality standards of technical and/or security authorities, collaborates with stakeholders and peers on the delivery of high quality outputs, and applies established team processes and ways of working.
• Relevant IT Security qualifications and certifications, such as Certified IRAP Assessor, CISA – Certified Information Systems Auditor, GSNA – GIAC Systems and Network Auditor, or Bachelor/Masters in Cyber Security.

Desirable criteria

• Experience in delivery of large and complex technology programs or projects using contemporary agile methodologies and tools.
• Cloud platform security certifications.