Security Governance Consultant

**Location**:
Geneva, Switzerland

**Introduction**:
United Nations International Computing Centre (UNICC), within its Cybersecurity Division, seeks a Security Governance Consultant to facilitate the execution of internal or external projects.

**Skills, knowledge, experience required**:

- A university degree (a Bachelors’ Degree) in computer science, information systems, mathematics, statistics or a related field, or equivalent experience;
- Minimum 10 years’ professional experience in information security, risk management, IT security, security incident response or security testing-related jobs;
- Experience in:

- Developing information security policies and procedures;
- Executing programmes successfully;
- Managing/working in large ICT programmes;
- Producing technical documentation including user requirement documents, proposals in response to project requirements;
- Drafting processes and procedures documentation;
- Working with MS Office tools and MS Project;
- Experience with medium/complex size projects;
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT, etc.;
- Ability to:

- Understand technical and business aspects of IT risk and communicate those risks to management, business, and technical units so that the organization can make informed decisions regarding appropriate levels of information security control;
- Act calmly and competently in high-pressure, high-stress situations;
- Professionally handle confidential matters and show an appropriate level of judgment and maturity;
- Strong analytical and problem-solving skills;
- Excellent written and verbal communication, interpersonal, and collaborative skills;
- High level of personal integrity;
- High degree of initiative, dependability and ability to work with little supervision;
- Expert knowledge of English (oral and written).

**Desirable**:

- 3 years’ experience working in security consulting engagements;
- Experience in achieving and maintaining ISO 27001 certification;
- Project management skills with the ability to manage multiple projects under strict timelines;
- Certifications such as:

- Certified Information Security Manager (CISM);
- Certified in Risk and Information Systems Control (CRISC);
- Certified in the Governance of Enterprise IT (CGEIT);
- Certified Information Systems Security Professional (CISSP);
- Knowledge of another UN language.

**Duties/role**:

- Developing, implementing, and monitoring strategic comprehensive enterprise information security and IT risk management programmes to ensure that the integrity, confidentiality, and availability of information is managed and controlled by the client organizations;
- Providing regular reporting on the current status of the information security program to Senior Management and business units as part of a strategic enterprise risk management program;
- Implementing governance programmes including an information security steering committee or advisory board;
- Creating, communicating, and implementing process for risk management, including the assessment and treatment of identified risks, working directly with business units and stakeholders throughout the organization on identifying acceptable levels of residual risk, and reporting and overseeing treatment efforts;
- Creating and managing information security and risk management awareness training programmes for all employees, contractors, and approved system users;
- Developing, maintaining, and publishing up-to-date information security policies, standards, and guidelines, as well as overseeing the approval, training, and dissemination of security policies and practices;
- Developing and enhancing an information security management framework based on the ISO 27000 standards, and creating a framework for roles and responsibilities with regard to information ownership, classification, accountability, and protection;
- Coordinating information security and risk management projects and providing strategic risk guidance for IT projects;
- Managing security incidents and events to protect corporate IT assets, including intellectual property, sensitive data, and the organization’s reputation;
- Monitoring the external threat environment for emerging threats and advising relevant stakeholders on the appropriate courses of action;
- Developing and overseeing effective disaster recovery policies and standards, coordinating the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event, and providing direction, support, and in-house consulting in these areas;
- Liaising among external and internal stakeholders, including audit, legal, and HR management teams as required, to ensure that the organization maintains an appropriate security posture;
- Managing Information Security Specialists and Consultants;
- Performing other related duties and fulfilling responsibilities as required.

VECTOR S