Position Title : ICT Security Officer (Application Specialist)
Duty Station : Valencia, Spain
Classification : Professional Staff, Grade P3
Type of Appointment : Fixed term, one year with possibility of extension
Estimated Start Date : As soon as possible
Closing Date : 03 November 2021
Established in 1951, IOM is a Related Organization of the United Nations, and as the leading UN agency in the field of migration, works closely with governmental, intergovernmental and non-governmental partners. IOM is dedicated to promoting humane and orderly migration for the benefit of all. It does so by providing services and advice to governments and migrants.
IOM is committed to a diverse and inclusive work environment. Read more about diversity and inclusion at IOM at www.iom.int/diversity.
Applications are welcome from first- and second-tier candidates, particularly qualified female candidates as well as applications from the non-represented member countries of IOM. For all IOM vacancies, applications from qualified and eligible first-tier candidates are considered before those of qualified and eligible second-tier candidates in the selection process.
For the purpose of this vacancy, the following are considered first-tier candidates:
- Internal candidates
- Candidates from the following non-represented member states:
Antigua and Barbuda; Aruba (Netherlands); Botswana; Cabo Verde; Comoros; Congo (the); Cook Islands; Cuba; Fiji; Gabon; Guinea-Bissau; Guyana; Holy See; Iceland; Kingdom of Eswatini; Kiribati; Lao People’s Democratic Republic (the); Latvia; Libya; Luxembourg; Marshall Islands; Micronesia (Federated States of); Montenegro; Namibia; Nauru; Palau; Saint Kitts and Nevis; Saint Lucia; Saint Vincent and the Grenadines; Samoa; Sao Tome and Principe; Seychelles; Solomon Islands; Suriname; The Bahamas; Timor-Leste; Tonga; Tuvalu; Vanuatu
Second tier candidates include:
All external candidates, except candidates from non-represented member states.
Context:
Under the direct supervision of Senior ICT Security Officer (SISO) and in close collaboration with relevant Information and Communications Technology (ICT) Units at Headquarters (HQ) and worldwide ICT Teams, the successful candidate will be responsible for enhancing the maturity and capabilities of its Application and App Security focusing on automating security and strategizing vulnerability and threat management. This covers all aspects of application security and all types of applications such as mobile, web applications, and websites, as well as Application Programming Interface (API) and serverless interfaces.
Core Functions / Responsibilities:
- Establish the classification scheme of all mobile, websites, web applications/apps, and APIs and lead and continuously implement the classification.
- Create a Security Service Catalog of application/app security. It should include the services offered by the security team, its definition, supporting model, Servie Level Agreements (SLAs), and how it would be measured and monthly reported and monitor the SLA of services offered by third-party providers to ensure the highest level of customer service based on contract agreements.
- Shift the culture towards full integration of security throughout the life of Information Assets taking advantage of DevSecOps, and threat modeling; and automating security (Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), threat modelling) including ensuring of cleansing and cleaning at the end of the life, disposal, or migration of the apps/applications/APIs in close contact with the developer, application owner and the business parterres.
- Improve maturity level of application and app security to the defined higher level;and measure and report the progress regularly by developing Key Performance Indicators (KPI)/metrics for performance and risk monitoring.
- Provide necessary training and technical advice not only to the ICT audience but also to the other units of the organization. This includes gamification activities related to secure development tasks and, if needed, perform mentoring activities of the development team.
- Reviews ICT architectures and implementation details for design flaws, incorrect security implementation, and missing security controls and participate in the development of information security strategies as well as in deep technical discussions to ensure solutions are securely designed for successful deployment in the cloud and/or on-prem.
- Perform security assessments and evaluations of existing on-prem and/or cloud-based environment and support third-party pentesting activities that include the definition of terms of reference and the quality assurance of the deliverables by ensuring that websites/applications/apps are protected against major risks and other vulnerabilities using security controls and strategically.
- Implement industry standard risk management technique and knowledge across various business application security capabilities, for the respective applications, data, interfaces, websites and mobile to determine effectiveness of controls and to create action plans that remediate identified risks
- Document and report on processes and procedures, additionally, provide advisory and/or create security policies based on international standards and regulations and compose essential project documentation.
- Perform such other duties as may be assigned.
Required Qualifications and Experience:
Education
• Master’s degree in computer science, information systems, mathematics, statistics or related field from an accredited academic institution with five years of relevant professional experience; or
• University degree in the above fields with seven years of relevant professional experience.
• Professional certification such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Chief Information Security Officer (CCISO), Certified Secure Software Lifecycle Professional (CSSLP), Certified Secure Web Application Engineer (CASE), Certified Secure Web Application Engineer (CSWAE), Governance, Risk, and Compliance Professional (GRCP), Certified Ethical Hacker (CEH), or related will be a distinct advantage in addition to cloud computing certifications at associate/professional/specialty level from Azure and/or AWS.
• Information Technology Infrastructure Library (ITIL) and Prince2 Foundation are added advantages.
Experience
• Five or more years experience in Application-level vulnerability testing and auditing and application security;
• Five or more years experience with vulnerability scanning and configuration assessment solutions (e.g., Nessus, BurpSuite, Computer Information System-Configuration Assessment Tool (CIS-CAT) Pro, and Rapid7);
• Five or more years experience in all aspects of application security;
• Five or more years experience in Information Security / Cybersecurity, working with on-prem and cloud-based security solutions (e.g., Microsoft Threat Protection suite, Amazon Web Services (AWS) Security Solutions, Zscaler);
• Five or more years of relevant security analysis and reporting work experience (security consulting);
• Experience in conducting security checks (static and dynamic code analysis, vulnerability analysis in applications and penetration tests);
• Have hands-on experience with tools and technologies used throughout secure Software Development Life Cycle (SDLC), including Continuous Integration/Continuous Delivery (CI/CD), Agile practices;
• Experience defining security strategies aligned with business and strategic objectives;
• Experience with OWASP Top 10 and secure coding techniques to mitigate known cross-language as well as platform-specific weaknesses;
• Experience with container security and SecDevOps;
• Experience with Security Information and Event Management (SIEM) solutions (e.g., Azure
Sentinel, IBM QRadar, etc.);
• Solid knowledge and experience in application development and analysis.
Skills
• Strong analytical and interpersonal skills;
• Solid organization and document, project management;
• Strong ability to continue to learn and grow;
• Basic Proficient in the content management system (CMS), especially in Drupal;
• Minimal knowledge in software languages, including Microsoft C# / .NET Framework, JavaScript, PHP, and Python;
• Valid skills of Web Servers (IIS, Apache) and Database (Microsoft SQL and MySQL);
• Demonstrated ability to respond against information security alerts;
• Basic knowledge of reporting tools (e.g., MS Excel, Power BI, Power BI Report Builder);
• Ability to translate technical security vulnerabilities into business risk/impact to applications;
• Strong knowledge for designing, building, testing, and implementation of IAM solutions;
• In-depth understanding of secure SDLC and secure SDLC models;
• Demonstrated skill in creating security policies and procedures based on ISO27001:2013, NIST 800-53 and Computer Information System (CIS) controls;
• Demonstrated technical skill in infrastructure architecture, security, and cloud computing with emphasis on AWS and Microsoft Azure;
• Strong analytical and problem-solving skills and proactive thinking skills; and,
• Strong English oral and written communications skills.
Languages
IOM’s official languages are English, French, and Spanish.
External applicants for all positions in the Professional category are required to be proficient in English and have at least a working knowledge of one additional UN Language (French, Spanish, Arabic, Russian or Chinese).
For all applicants, fluency in English is required (oral and written). Working knowledge of Spanish and/or French is an advantage.
Proficiency of language(s) required will be specifically evaluated during the selection process, which may include written and/or oral assessments.
Notes
1 Accredited Universities are the ones listed in the UNESCO World Higher Education Database
Required Competencies:
Values – all IOM staff members must abide by and demonstrate these three values:
• Inclusion and respect for diversity: respects and promotes individual and cultural differences; encourages diversity and inclusion wherever possible.
• Integrity and transparency: maintains high ethical standards and acts in a manner consistent with organizational principles/rules and standards of conduct.
• Professionalism: demonstrates ability to work in a composed, competent and committed manner and exercises careful judgment in meeting day-to-day challenges.
Core Competencies – behavioural indicators level 2
• Teamwork: develops and promotes effective collaboration within and across units to achieve shared goals and optimize results.
• Delivering results: produces and delivers quality results in a service-oriented and timely manner; is action oriented and committed to achieving agreed outcomes.
• Managing and sharing knowledge: continuously seeks to learn, share knowledge and innovate.
• Accountability: takes ownership for achieving the Organization’s priorities and assumes responsibility for own action and delegated work.
• Communication: encourages and contributes to clear and open communication; explains complex matters in an informative, inspiring and motivational way.
IOM’s competency framework can be found at this link. https://www.iom.int/sites/default/files/about-iom/iom_revised_competency_framework_external.pdf
Competencies will be assessed during a competency-based interview.
Other:
Internationally recruited professional staff are required to be mobile.
Any offer made to the candidate in relation to this vacancy notice is subject to funding confirmation.
This selection process may be used to staff similar positions in various duty stations.
Recommended candidates endorsed by the Appointments and Postings Board will remain eligible to be appointed in a similar position for a period of 24 months.
The list of NMS countries above includes all IOM Member States which are non-represented in the Professional Category of staff members.
Appointment will be subject to certification that the candidate is medically fit for appointment, accreditation, any residency or visa requirements, and security clearances.
Vacancies close at 23:59 local time Geneva, Switzerland on the respective closing date. No late applications will be accepted.
How to apply
Interested candidates are invited to submit their applications via PRISM, IOM e-Recruitment system, by 03 November 2021 at the latest, referring to this advertisement.
IOM only accepts duly completed applications submitted through the IOM e-Recruitment system. The online tool also allows candidates to track the status of their application.
Only shortlisted candidates will be contacted.
For further information please refer to: www.iom.int/recruitment
Posting period:
From 21.10.2021 to 03.11.2021
No Fees:
IOM does not charge a fee at any stage of its recruitment process (application, interview, processing, training or other fee). IOM does not request any information related to bank accounts.
Requisition: VN 2021 255 ICT Security Officer (Application Specialist) (P3) Valencia, Spain (57225330) Released
Posting: Posting NC57225331 (57225331) Released