Find

Security Assurance Consultant

Senior Information Security Assurance Consultant (Contract role)* Provide information Security input and assurance for a large number of projects, ensuring that systems/solutions comply with best practice and company policies and standards* Responsible for assessing and reporting on risk within projects* Perform Information security reviews of 3 rd party suppliers. Liaise with these suppliers where changes/improvements to security controls are needed* Scope and coordinate security testing of DCG systems as well as those of suppliers (where needed).Review results of this testing and recommend/identify remediation activities

Ministry of JusticeSenior Information Security Assurance Consultant (Contract role)Manage the delivery of assurance of in-house developed digital products and new solutions, ensuring proportional and appropriate security controls (similar to the GDS role below)* Ensure an effective information security risk framework is maintained across MoJ* Scope and coordinate security testing of MoJ systems as well as those of MoJ suppliers. Interpret results of this testing and recommend/coordinate remediation activities* Provide security input to project teams, from system design to implementationEngage with senior technical and non technical stakeholders across MoJ, including:* The heads of assurance and business information assurance leads* Information operations directorate* Central senior information risk owners (SIROs) and their delegated information assurance officersEnsure that the team obtains the right information security knowledge and influence it needs to continue to successfully deliver secure products/projects in a government and industry context

Government Digital Service (GDS) part of the Cabinet OfficeInformation Security Manager - member of the Information Assurance Team(Contract role)Responsibilities* Ensure an effective information security risk framework is maintained across GDS* Perform Information security reviews of 3 rd party suppliers and their products. Liaise with these suppliers where changes/improvements to security controls are needed* Scope and coordinate security testing of GDS systems as well as those of GDS suppliers. Interpret results of this testing and recommend/coordinate remediation activities* Provide security input to project teams, from system design to implementation* Review information security incidents* Establish a close working relationship with the executive staff member and the Cabinet Office Risk Owner (SIRO) tasked with making security related decisions which are outside of risk tolerance* Ensure that Government systems adhere to the latest NCSC Cloud Principles, industry best practice and theHMG security policy framework

Feb 2014 - Feb 2016 Cyber Security Assurance Manager at Marks and Spencer Ltd

Marks and Spencer Limited ( www.marksandspencer.com )Cyber Security Assurance Manager with 6 direct reports. (Permanent role)ResponsibilitiesManager of the Cyber Security assurance function with the objective of ensuring that every system at M&S was secure before it went live. This entailed following a risk based approach (IRAM2) to ensure that systems were designed securely and that the appropriate controls were appliedOther responsibilities included:* Management of Security Service Suppliers. Accountable for maintaining supplier relationships and overseeing security supplier governance* Third Party security assessment. Responsible for ensuring that 3 rd party suppliers (200+) have proper security controls in place and are protecting M&S customer and business information appropriately. This includes coordinating security reviews of all suppliers and identifying gaps in controls and processes. Liaise with these suppliers to ensure that M&S data is secured appropriately* Ownership of technical policies and standards* Contribute to the development and maintenance of the information security strategyI worked closely with enterprise architects, other functional area architects and security specialists to ensure adequate security solutions were in place throughout al IT systems and platforms to mitigate identified risks sufficiently, and to meet business objectives and regulatory requirementsIn my role I achieved the following:* Successfully merged the assurance function into one team. It was previously split into two - One team for online systems and another for corporate systems. My justification for this was to ensure a consistent approach to security for all parts of the business* The assurance roles were originally outsourced to a third party. This contract ended in December 2015. I successfully recruited a new team of 6 and oversaw the handover from the third party to my new team* Incorporated security architecture into the team. Previously the security architect reported to another team. By bringing architecture and assurance together it has ensured that security is driven consistently from project inception all the way to production. It also helps with security awareness across other parts of the business* Supplier relationships / management. By bringing architecture and assurance together, my team have been more effective in dealing with other parts of IT and the business. In the past with separate teams, other business units sometimes got different answers or approaches to problems and projects. This is far more consistent now* Third party assessments. Streamlined this process onto an online GRC tool. Previously we have assessed third parties via an excel based questionnaire. The tool has removed considerable administrative overhead and allowed my team to focus on their strengths - security

Senior Security Analyst

Contract role as a Senior Security Analyst in the Information Security and Compliance Team (IS&C)ResponsibilitiesProvide input for a wide range of projects, ensuring that systems comply with the company policies and standards, PCI DSS(where relevant) and best practice (ISO27001). This involved ensuring that the appropriate security controls were in place based on the aboveProvide advice, design input and security requirements for cloud based solutions, including liaising with 3 rd parties to ensure that they comply / conform to best practiceProjects involved in:Retail systems:* Warehouse systems, Supply Chain and Online ShoppingSainsbury's BankWork programmes:* PCI working group* Information Security Improvement Programme* IT Standards review / gap analysis (this was based on previous standards and industry best practice)

Nov 2011 to Oct 2012 Security Architect at Lloyds Banking Group

Lloyds Banking Group ( www.lloydsbankinggroup.com )Contract role as a Security Architect in the Enterprise Architecture Design Team.ResponsibilitiesProvide the security design and appropriate controls for a wide range of projects across the banking group in the following domains: * InfrastructureInformation Privacy* Fraud and financial crime* Compliance* Identity ManagementSome of the projects involved in were:Virtualization* A major upgrade of the existing virtual infrastructure - Assessed the existing controls to ensure that they were still appropriate and effective, while adding new controls / standards based on the new versionAnti Money Laundering / Fraud Systems* Security analysis/design for fraud systems including PCI DSS controls and requirements. Reviewed the existing data security controls and assured appropriate access to the data