Security Architect
Apply now »Date: 30 Oct 2024
Location: Gatwick, GB
Company: Civil Aviation Authority
Salary: £70,000 to £80,000 - (dependent on experience)
Contract Type: Permanent – Full time
Security Level: SC - Vetting explained - GOV.UK (www.gov.uk)
Location: Gatwick – Hybrid – (UK wide candidates to be considered)
We are the UK's aviation regulator and recognised as a world leader in its field. Our activities are diverse, enabling the aviation industry to meet the highest safety standards, and we pride ourselves on our ability to adapt to the constantly evolving aviation environment.
This is an exciting time to join the security function at the CAA. We are about to conclude a multi-year security transformation programme which has changed the culture within the organisation and delivered many new solutions and improvements. You will be pivotal in helping us to apply, embed and enhance the updated tooling and procedures, while having plenty of scope to be influential and make a difference.
The Role
The Security Architect’s role is to define and assess the CAA’s security strategy, architecture and practices and effectively translate business objectives and risk management strategies into specific security processes enabled by security technologies and services.
The role will be involved in planning and developing security architecture and policy, designing or assisting in the design of secure solutions, owning and maintaining the model of security related services, assuring security related design created by other CAA colleagues or external suppliers. The incumbent will collaborate across the CAA and with suppliers in relation to security related designs and architecture.
Core Accountabilities
Planning and Developing
- Develops and maintains a security architecture process that enables the enterprise to develop and implement security solutions and capabilities that are clearly aligned with business, technology and threat drivers
- Contributes to security strategy plans and roadmaps based on sound enterprise architecture practices
- Uses the CAA EA tools to develop and maintain security architecture artifacts (models, diagrams, templates, standards and procedures) that can be used to leverage security capabilities in projects and operations, owning the security model
- Supports development of baseline security configuration standards for operating systems e.g. operating system hardening, network segmentation, and identity and access management (IAM)
- Supports development of security principles, policy and standards
- Owns the Security content within CAAs Non-Functional Requirements
- Participates in technology projects to provide security planning advice
- Reviews security technologies, tools and services, and makes for their use based on security, financial and operational metrics
- Collaborates with the business continuity function to validate security practices for both disaster recovery planning (DRP) and business continuity management (BCM)
Design
- Design secure systems/solutions collaborating with other architects and security consultants
- Design protective monitoring for specific systems and advises on the monitoring platforms overall requirements
- Document data flows within the organisation (inclusive of personal data) collaborating with other architects and security consultants, recommending controls to ensure this data is adequately secured e.g. encryption, tokenisation, etc.
Assurance
- Validates IT infrastructure and other reference architectures for security best practices
- Validates security configurations and access to security infrastructure tools, including firewalls, intrusion prevention systems (IPSs), web application firewalls (WAFs), anti-malware/endpoint protection systems, etc.
- Contributes to reviews of security rulesets of the CAA’s firewalls and other network devices
- Conducts or facilitates threat modelling of services and applications that tie to the risk and data associated with the service or application
- Coordinates with the DevOps teams to advocate secure coding practices
- Reviews network segmentation to ensure least privilege and effective design for secure network access
- Supports the design, testing and validation of internal security controls
- Collaborates on security assessments of internal systems, applications and IT infrastructure to evaluate the design and operational effectiveness of security-related controls as part of the overall risk management practice of the CAA
- Reviews solution designs to ensure alignment with security policies, practices and strategy where the security architect has not been involved in the design
- Collaborates on vulnerability assessments and other security reviews of systems, and prioritises remediation based on the risk profile of the asset
- Liaises with the supplier management function to conduct security assessments of existing and prospective suppliers, especially those with which the CAA shares intellectual property, PII, ePHI, regulated or other protected data, including:
- SaaS providers
- Cloud/infrastructure as a service (IaaS) providers
- Managed service providers
- Payroll providers
- Evaluate the statements of work from these providers to ensure that adequate security protections are in place. Assess the providers audit reports (or alternative sources) for security-related deficiencies and required “user controls”
- Contributes to incident response and review, incorporating lessons-learned into existing security architectures and practices
About You
Minimum essential requirements for the role:
- IT experience with a direct responsibility for security architecture and design.
- Knowledge of security design in two of the following domains should be demonstrable:
- Applications
- Data
- Business
- Technology/Infrastructure
- Enterprise
- The role requires knowledge and skills that are both broad and deep with awareness of good practices in security architecture that are effective in both waterfall and agile deliveries in the face of rapidly changing requirements
- To be effective the role will need to have experience of a range of hardware and software environments and be comfortable with complex heterogeneous systems environments
- A demonstrable understanding of some of the technologies and methodologies employed by and planned for use by the authority is required for this role. In particular, Microsoft Azure Technologies
- A demonstrable understanding of DevOps and the concepts of CI/CD
- The role needs an ability to share and communicate ideas effectively both orally and in writing, to business sponsors, management staff, technical resources and other staff in clear concise language that is appropriate to each group respectively. The Architect is likely to encounter situations in which the needs of different stakeholders are in conflict and/or are at odds with the EA for the CAA and will need the ability to balance these needs and constraints
- Ability to influence others to promote good working practices or to change opinions in situations where opposing views are held and present outcomes articulately
- Excellent numeracy, analytical and problem-solving skills
- Ability to work under pressure
- Ability to obtain and maintain a security clearance to SC Level
Desirable skills for the role:
- Bachelor of Science degree in Engineering, Computer Science, or related technical field with demonstrated related experience
- Any of the following qualifications:
- CISSP
- CISSP-ISSAP
- CRTSA
- GDSA
- An understanding of TOGAF
- Knowledge in any of the following:
- Cryptography
- Operating Systems & Virtualisation Security
- Distributed Systems Security
- Formal Methods for Security
- Authentication, Authorisation & Accountability
- Software Security
- Web & Mobile Security
- Secure Software Lifecycle
- Applied Cryptography
- Network Security
- Hardware Security
- Cyber-Physical Systems Security
- Physical Layer & Telecommunications Security
- Cloud Security
Inclusivity
We are proud to be an equal opportunity employer and celebrate our diversity ensuring all are backgrounds included here at the CAA. As a member of the Disability Confident scheme, applicants who meet the minimum criteria for a role with us will be guaranteed an interview.
Our Benefits
We offer a range of excellent benefits such as:
- Flexible & hybrid working arrangements available
- 28 days annual leave + public holidays (additional 5 days leave purchase scheme)
- Generous pension scheme (Up to 12% employer contribution)
- Wellbeing Room at Gatwick
- Mental Health and Suicide First Aiders
- Employee Assistance Programme, talking therapies and neurodiversity support via Occupational Health & access to Headspace for colleagues and 5 dependents
- Free onsite gym at Gatwick or discounted gym membership for London
- EV charging points
- Employee Development courses internally and via Skillsoft
Our Values
Do The Right Thing, Never Stop Learning, Build Collaborative Relationships, Respect Everyone – For more information please Click Here
Closing Date: Wednesday 13th November 2024
Screening Calls: We will look invite shortlisted individuals to initial briefing calls to discuss the role and their experience in detail.
Interview Dates: w/c Monday 25th November 2024
We reserve the right to close this vacancy early if we receive sufficient applications for the role. Therefore, if you are interested, please submit your application as early as possible.
No recruitment agencies please.
Job Segment:
Developer, Cloud, Testing, Payroll, Technology, Security, Finance