Security Architect Principal - ONS - G6

ONS operates a flexible hybrid working model across the UK, with colleagues linked to one of our contractual locations in Newport, Titchfield (Fareham), London, Manchester, and working between office and remote throughout the week.

As part of the hybrid working arrangement there is 40% a minimum office attendance requirement. Attendance is typically at your contractual office, with occasional travel to alternative locations. Due to estates constraints, there are currently temporary exceptions to this for colleagues based at Manchester who are required to attend the office for a minimum of 20% of their work time.

About the job

Job summary

The Office for National Statistics (ONS) has a long history of working with personal, economic and commercial information. Security and the management of information used for corporate and statistical activities is critical to business operations and the trust that citizens place in us. ONS has a strong commitment to protecting this information.

The last few years has seen an extensive overhaul of security and information management to meet the challenges of corporate and statistics transformation in technology, methods and practice, the Digital Economy Act and organisational risk appetite. The capability is evolving and expanding to address changes in threat and business direction.

Security and Information Management Directorate (SaIM) operates five key services across ONS: security risk advice and management; knowledge and information management (KIM); physical security and business continuity; security compliance and audit; security operations including our Security Operations Centre.

Job description

The Security Architect Principal role forms part of the Advisory Security team within the Security and Information Management Division at the Office for National Statistics (ONS). The role reports to the Head of Cyber Security Risk Management.

Security architecture relates to the secure design of systems. It combines technical architecture and risk management, along with knowledge of how systems can be compromised to help design systems that (among other things) are sufficiently hard to compromise or disrupt while being sufficiently easy to monitor and maintain.

The primary focus of the role is to provide the Organisation with security advice and best practice to develop ‘Secure by Design’ protections for organisational assets and embed the ONS Security Framework - principles; policies; processes; threat model; security risk management into the ONS. 

The Security Architect advises and enables technical teams to make security decisions. They provide advice and guidance to ensure common tools and patterns are used effectively to deliver secure systems, and they implement proportionate controls to enable business outcomes.

The focus, outcomes and responsibilities are aligned to the Government Security Profession framework of the Security Architect – Principle.

Responsibilities

• Supporting the development of business-focused security solutions for digital products and business operations that cover data collection, storage and processing, deployed both internally and externally.
• Advise projects with high strategic impact, setting a strategy that can be used in the long term and across the whole organisation.
• Develop vision, multiple projects and strategy for Security Architects for multiple projects or technologies.
• Recommend security design across multiple projects or technologies, up to an organisational or inter-organisational level, solving unprecedented issues and problems.
• Influence key organisational and architectural decisions and interact with senior stakeholders across organisations to reach and influence a wide range of people across larger teams and communities.
• Reviewing system architectures to:
  o identify single points of vulnerability and common architectural flaws.
  o identify security issues relating to configuration of components in an architecture.
  o Validate and explain how common attack methods are mitigated by the design.
• Validate and explain how common attack methods are mitigated by the design.
• Identify areas where detailed technical analysis will be required to understand important nuances that could have significant security implications.
• Articulates security issues identified, proposes and prioritises appropriate mitigation options, taking into consideration other potential constraints (functional impact, cost etc.).
• Contributes to the design of system architectures that solve common business problems, including specifying required security controls.
• Understands the context and has required domain knowledge to tailor advice to the specific need of the business.
• Designs and review system architectures for a broad range of complex or uncommon requirements to identify security weaknesses and recommend mitigation's.
• Design (or significantly influence) the technical design of a system to enforce security properties that have been derived from first principles to meet a complex or uncommon set of requirements.
• Follow a methodical and repeatable approach to reviewing the security of a system architecture and can describe that approach.
• Advise on security architecture implications of technological trends when applied to existing systems, such as migration to the cloud. Can explain how those technologies change the security approach required.
• Contributes to new and innovative security architecture guidance for others to re-use.
• May have one or more technology specialisms where they are regarded as an expert in how their specialism supports security architecture design (e.g. telecoms, power, micro service architectures, identity).

Person specification

Essential skills criteria

• Expert knowledge of application, infrastructure and networking security controls and systems covering physical, procedural and technical (ICT) areas, particularly in relation to data management.
• Experienced in providing detailed security advice and technical security solutions in a UK Government Department.
• Good knowledge of UK Government Security Policy Framework, Information Assurance Standards, e.g. ISO 27001, DPA.
• Working towards relevant professional qualifications and memberships e.g. Senior Practitioner level within the CESG Certified Professional scheme Principal (CCP), British Computer Society (BCS).
• Track record in working as part of a multi divisional team covering a multi-discipline environment.

Link to The Government Security Profession career framework

Behaviours

We'll assess you against these behaviours during the selection process:

• Communicating and Influencing
• Seeing the Big Picture
• Delivering at Pace

Technical skills

We'll assess you against these technical skills during the selection process:

• Applied Security Capability
• Information Risk Assessment and Risk Management
• Threat Understanding
• Security Architecture