Senior Cyber Security (GRC) Analyst

  • Job Reference: 79076
  • Date Posted: 9 June 2024
  • Employer: UK Power Networks
  • Location: Crawley, West Sussex
  • Salary: On Application
  • Bonus/Benefits: Excellent Benefits and Bonus
  • Sector: Information Technology (IT)
  • Job Type: Permanent
  • Work Hours: Full Time

Job Description

Senior Cyber Security (GRC) Analyst

Reference Number - 79076

This Senior Cyber Security (GRC) Analyst will report to the Cyber Security Governance, Risk & Compliance Manager and will work within Information Systems based in either our Crawley or London office. You will be a permanent employee.

You will attract a salary of £55,000.00 and a bonus of 7.5%. This role can also offer blended working after probationary period (6 months) - 3 days in the office and 2 remote

Close Date: 23/06/2024

We also provide the following additional benefits

  • Annual Leave
  • Personal Pension Plan - Personal contribution rates of 4% or 5% (UK Power Networks will make a corresponding contribution of 8% or 10%)
  • Tenancy Loan Deposit scheme
  • Tax efficient benefits: cycle to work scheme
  • Season ticket loan
  • Occupational Health support
  • Switched On - scheme providing discount on hundreds of retailers products.
  • Discounted access to sports and social clubs
  • Employee Assistance Programme.

JOB PURPOSE:

You will will support the Cyber Security GRC Manager in developing IT governance, risk management, and compliance strategies across UK Power Networks information systems, applications and users to safeguard essential business services and operations from cyber threats.

DIMENSIONS:

  • People - Work collaboratively in a team of circa 8-10 permanent and temporary GRC resources and specialist 3rd Party GRC service providers. Mentor less experienced GRC analysts, providing guidance and training.
  • Financial - no direct budget responsibility.
  • Industry and Regulatory - deputise for the GRC manager to represent UKPN in energy sector industry forums and regulatory working groups, working collaboratively with Ofgem and the Department for Energy Security and Net Zero
  • Communication - collaborate with all teams and partners in UK Power Networks. Good verbal, written, and presentational skills to articulate risks and the potential possible effects to the business and make reasoned recommendations for management action to mitigate or reduce the risks.
  • Partners - regular and ongoing interaction with senior management partners across IT, IS and the Business; collaborate with internal support teams, internal and external auditors, specialist 3rd party service providers and partners to manage IT risk, and to monitor mitigation plans and actions.

PRINCIPAL ACCOUNTABILITIES:

  1. Risk Management: Conduct cyber security risk assessments following the UK Power Networks risk assessment framework and methodology, identifying and explaining findings and treatment actions to important partners. Ensure all risks relating to the control environment are captured and remediation actions defined, tracked, monitored and followed-up with owners including communication of third-party assessments and actions.
  2. Reporting: Produce management information related to the risk and control environment. Support IS teams to define important control metrics to demonstrate their effectiveness. Prepare regulatory submissions and provide assurance for UK Power Networks policy compliance within IT which includes key performance metrics and management reporting.
  3. Information Security Management System Support: Operate and maintain the information security management system and artefacts, in compliance with ISO 27001/27002 including the governance forum agenda and minutes.
  4. Policies and Standards: develop GRC policies, standards and procedures to monitor UKPN information security controls, exceptions, risks, and testing including management reporting on performance.
  5. Controls Framework: Ensure a fit for purpose IT control environment and support a roadmap for IT controls improvements. Requiring an understanding of technical issues and controls.
  6. Compliance: Design, implement, and run processes to monitor UKPN IT compliance to legal and regulatory requirements such as Smart Energy Code, Cyber Essentials, National Cyber Security Centre (NCSC) Networks & Information Systems (NIS) Regulations Cyber Assessment Framework (CAF) and all IT related audits (internal and external) where the scope is wholly relevant to the companies cyber security controls.
  7. Business Continuity and Disaster Recovery:Manage IT resilience and business continuity plans, plan, coordinate test exercises. Conduct business continuity reviews and evaluate resilience and business continuity activities.
  8. GRC Systems and Tools Support: support the technical implementation, maintenance and configuration of the suite of GRC tools, products and systems to ensure effective operation of GRC frameworks and capabilities.
  9. Stakeholder Management: Engage and work with important partners across IT, IS and the Business, maintaining daily working relationships with internal and external support teams, internal and external auditors, UKPN regulator Ofgem, third party managed service providers and partners to manage all IT risks across the enterprise.
  10. Supply Chain and 3rd Party:Engage, interact and ensure 3rd party supplies are meeting cyber security expectations. Gather evidence and assurance, risk assess and create reports and governance metrics for measuring the ongoing risk and effect that 3rd party suppliers present to UKPN.

NATURE AND SCOPE:

The Information Systems Department works across UK Power Networks, supporting us in the achievement of our vision to maintain its position as best DNO. The team achieve this through the provision of technology solutions and the optimisation of current solutions to improve how we operate. Continuous improvement, customer service and seamless delivery is at the heart of this ethos and are therefore strongly underpinned by effective cyber security.

You will support all other team members, the rest of Information Systems teams, IT Service Providers and partners across UK Power Networks to implement and improve IS and IT risk management and operational control capabilities that are important to safeguarding UKPN information assets, business services and operations.

  • We ask that you understand governance, risk management, and compliance principles, in addition to knowledge of relevant laws, regulations, and industry standards. We ask that you have a detailed knowledge and practical expertise in at least 3 of the following specialist areas: -
  • Specific Industry Standards
  • IS/IT Operational Controls and Governance
  • IT/IS Risk Management
  • Business Continuity Planning and Disaster Recovery
  • Supply Chain and 3rd Party Risk Management
  • You will have problem solving skills to recommend pragmatic mitigating solutions to mitigate IT risks across the organisation; must also be able to develop and implement new governance and compliance strategies and practices.

Qualifications:

  • Practical experience in a GRC role or related profession e.g. risk, audit, cyber security or similar practical experience in IT or OT role with a desire to move into cyber security, must have some relevant training of cyber security risk assessment.
  • Detailed knowledge and experienced in defining, implementing, operating maintaining, and improving information security management systems (ISMS).
  • Experience of internal and external audit engagements, orchestrating and delivering cyber security risk and control assessments and knowledge of risk processes, frameworks, and procedures.
  • Specific GRC related professional training or an academic level equivalent in a related subject with a recognised information security related certification e.g. CISSP, CompTIA, CISA, CISM, CRISC, MSc Information Security, degree or other formal technical qualifications e.g. apprenticeship, in a related area e.g. networking, cyber security, Information Technology, Operational Technology.
  • Knowledge of compliance, security and regulatory frameworks such as Cyber Essentials, Smart Energy Code (SEC), Network and Information Systems Directive (NIS) National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), ISA/IEC 62443, ISO/IEC 27001/27002, GDPR, Cloud Security Alliance (CSA) Star framework, SOC2 Type 2 audits. Information Technology Infrastructure Library (ITIL), Control Goals for Information and Related Technologies (CoBIT).
  • IT / OT operational risks and controls assessment and assurance
  • Business Continuity Planning and Disaster Recovery testing assurance.
  • 3rd Party Supply chain risks, controls and assurance.
  • Experience with technical risk assessments in either Information Technology (IT) or Operational Technology (OT) environments, including Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
  • Working within a regulated environment, preferably Energy sector Critical National Infrastructure (CNI) and an understanding of power distribution systems or industry best practice would be beneficial.