Cyber Risk Analyst

Application closing date: Monday, 03 June 2024 • 11:59pm, Canberra timeEstimated start date: Monday, 01 July 2024Location of work: VICWorking arrangements: The work is to be performed at the offices of Services Australia in the respective city. Some remote working arrangements may be considered on a case to case basis.Length of contract: 12 monthsContract extensions: 2x 12 monthsSecurity clearance: Must have Negative Vetting Level 1Rates: $100 - $120 per hour (inc. super)The Cyber Uplift and Safety Program (CUSP) is focussed on improving the maturity of cyber controls and identifying and mitigating vulnerabilities in the environment. CUSP is seeking a Cyber Risk Analyst to collaborate with the CUSP team to assess enterprise risk. Risks need to be appropriately documented and communicated to influence effective change. Assessment of risks should align with the Essential Eight, Protective Security Policy Framework (PSPF) and the Agency's risk framework.The Cyber Risk Analyst will be required to undertake work that is highly complex or sensitive and operate under broad direction. They will exercise a considerable degree of independence and perform in a leadership level role. The Cyber Risk Analyst will exercise sound decision making and judgement to produce high level risk and assurance advice.The following experience and knowledge is required:

• Extensive experience with risk and information security frameworks, policies and standards, including the Federal Government PSPF and Information Security Manual (ISM), and international standards (ISO 27001/2).
• Think strategically with the aim to reduce impact of enterprise risks.
• Demonstrated working experience in security threat and risk assessment and development of documentation.
• Demonstrated security experience within complex ICT environments.
• Strong stakeholder management skills, and the ability to communicate security concepts to non-technical audiences both verbally and in writing.
• Current and up to date knowledge of common threats and vulnerabilities used by threat actors.
• Ability to transfer knowledge and develop capability within the team.
• Tertiary or other relevant qualifications are advantageous.

Key duties may include, but are not limited to:

• Identify, test, and assess applicable security controls in line with the Australian Government PSPF, ISM and agency policies and guidelines.
• Assess the impact of risk against Enterprise Risk tolerance.
• Collaborate widely to ensure risk is assessed at an enterprise level and all plausible remediation activities are identified.
• Analyse and document security risk and recommend treatments and modifications to security practices and procedures using expertise and technical knowledge.
• Undertake security risk assessments on key technology components and identify areas for remediation and appropriate remediation controls.
• Work with the existing team members to analyse the Cyber Risks identified within the broader risk and controls environment to inform an assessment of the risk exposure.
• Undertake the categorisation and prioritisation of Cyber Risks (and associated remediation actions) identified.
• Document risk assessments within Service Australia templates.
• Facilitate discussions with system owners and technical leads around the risks identified and the appropriate remediations.
• Manage, develop, and support complex relationships with stakeholders to achieve work area goals.
• Assist with the development and implementation of security policies, procedures, projects, and strategies.
• Continuously work to improve the efficiency and effectiveness of the cyber security service.
• Share knowledge and skills to identify and develop capability within the team.
• Educate and inform departmental staff to promote understanding and ensure adherence to security policy and processes.

Essential Criteria * Extensive demonstrated experience with risk and information security frameworks, policies, and standards, including the Federal Government Protective Security Policy Framework (PSPF) and Information Security Manual (ISM), Essential Eight and international standards (ISO 27001/2).

• Experience analysing risks associated with cyber vulnerabilities, external perimeter technologies (firewall and gateway services specifically) of complex environments.
• Ability to transfer knowledge and build capability within the team.
• Ability to document and communicate risk exposure to executive staff effectively to influence necessary change.

Desirable Criteria * Experience undertaking enterprise level Cyber Risk analysis at large Government departments on highly complex technology environments.

• Experience working with system owners and business stakeholders to develop appropriate remediation plans that take into account the underlying business functions and requirements.
• Strong verbal and written communication skills with the ability to convey complex technical concepts to non-technical senior stakeholders.
• Demonstrated ability to think critically and solve complex problems
• Strong stakeholder management skills, and the ability to communicate security concepts to non-technical audiences both verbally and in writing.
• Relevant tertiary or other qualifications.