Cyber Security Architect

Security Architects design, review, test and assure the technical environment, solution designs and solution implementations in accordance with current and emerging security best practice. They contribute to the technical architecture and security policies and practices.

‘Security Architect’ is also called: Cloud Security Architect/Partner, Cloud Security Solution Architect, Cyber Security, Cyber Security Architect, Enterprise Architect – Security.

The Cyber Security Analyst will assist the Integrated Cyber Risk Management team by providing technical security advice and activities related to System Authorisation. They will assist business and system owners to attain and maintain Authority to Operate (ATO’s). Additionally, the Cyber Security Analyst will assist with implementation of security controls and management of cyber risk in accordance with Cyber Security Policy Guidelines, Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).

Key duties and responsibilities

A. Duties may include some or all of the following:

1. Identify, test and assess applicable security controls in line with the Australian Government PSPF, Information Security Manual (ISM) and agency policies and guidelines.
2. Analyse and document security risk and recommend treatments and modifications to security practices and procedures using expertise and technical knowledge.
3. Contribute to the system authorisation program of work, system projects and programs, by developing or reviewing security artefacts, including Security and Risk Assessments and System Security Plans.
4. Manage, develop and support complex relationships with stakeholders to achieve work area goals.
5. Manage and maintain the agreed service levels.
   Assist with the development and implementation of security policies, procedures, projects, and strategies.

B. The role requires the below knowledge and qualifications:

1. Extensive demonstrated experience with risk and information security frameworks, and standards, including the Federal Government Protective Security Policy Framework (PSPF) and Information Security Manual (ISM), and international standards (ISO 27001/2).
2. Demonstrated working experience in security risk assessment and development of security authorisation artefacts for systems to reach Authority to Operate.
3. Desirable: CISSP, CRISC, CISM, CISA and Mainframe.

Technical skills

Understanding of Security Frameworks: ISM, Essential 8, PSPF. The ability to translate technical configurations into ISM controls, regulatory guidelines, PSPF etc. This also includes knowledge about cloud security, secure configurations. Effective communication, ability to explain technical information to non-technical individuals. Strong analytical skills to evaluate risks and provide risk remediation advice.

About the organisation

Services Australia is at the frontline of government service delivery, supporting millions of Australians, and is front and centre of a vision to be a world leader in government service delivery. It’s using cutting-edge technology to build world class platforms and capabilities to help Australians get on with their lives. The services required will enable the agency to supplement its existing ICT and digital workforce to ensure a high quality of technology and digital development for the Buyer with the flexibility to ramp resourcing up and down as needs require. Engaging a flexible ICT workforce will enable the Buyer to augment its requirements for the major work programs being undertaken.

Essential criteria

1. Information assurance: Level 5 (SFIA)

Interprets information assurance and security policies and applies these to manage risks. Provides advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines. Plans, organises and conducts information assurance and accreditation of complex domains areas, cross-functional areas, and across the supply chain. Contributes to the development of policies, standards and guidelines.

2. Information security: Level 5 (SFIA)

Provides advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. Contributes to development of information security policy, standards and guidelines. Obtains and acts on vulnerability information and conducts security risk assessments, business impact analysis and accreditation on complex information systems. Investigates major breaches of security, and recommends appropriate control improvements. Develops new architectures that mitigate the risks posed by new technologies and business practices.

3. Network design: Level 5 (SFIA)

Produces, or approves network providers’, network architectures, topologies and configuration databases for own area of responsibility. Specifies design parameters for network connectivity, capacity, speed, interfacing, security and access, in line with business requirements. Assesses network-related risks and specifies recovery routines and contingency procedures. Creates multiple design views to address the different stakeholders’ concerns and to handle both functional and non-functional requirements.

4. Solution architecture: Level 4 (SFIA)

Contributes to the development of solution architectures in specific business, infrastructure or functional areas. Identifies and evaluates alternative architectures and the trade-offs in cost, performance and scalability. Determines and documents architecturally significant decisions. Produces specifications of cloud-based or on-premises components, tiers and interfaces, for translation into detailed designs using selected services and products. Supports projects or change initiatives through the preparation of technical plans and application of design principles. Aligns solutions with enterprise and solution architecture standards (including security).

5. Specialist advice: Level 5 (SFIA)

Provides definitive and expert advice in their specialist area. Actively maintains recognised expert level knowledge in one or more identifiable specialisms. Oversees the provision of specialist advice by others. Consolidates expertise from multiple sources, including third-party experts, to provide coherent advice to further organisational objectives. Supports and promotes the development and sharing of specialist knowledge within the organisation.

6. Systems design: Level 5 (SFIA)

Designs large or complex systems and undertakes impact analysis on major design options and trade-offs. Ensures that the system design balances functional and non-functional requirements. Reviews systems designs and ensures that appropriate methods, tools and techniques are applied effectively. Makes recommendations and assesses and manages associated risks. Adopts and adapts system design methods, tools and techniques. Contributes to development of system design policies, standards and selection of architecture components.

Desirable criteria

1. Consultancy: Level 5 (SFIA)

Takes responsibility for understanding client requirements, collecting data, delivering analysis and problem resolution. Identifies, evaluates and recommends options. Collaborates with, and facilitates stakeholder groups, as part of formal or informal consultancy agreements. Seeks to fully address client needs and implements solutions if required. Enhances the capabilities and effectiveness of clients, by ensuring that proposed solutions are fully understood and appropriately exploited.

2. Emerging technology monitoring: Level 5 (SFIA)

Monitors the external environment to gather intelligence on emerging technologies. Assesses and documents the impacts, threats and opportunities to the organisation. Creates reports and technology roadmaps and shares knowledge and insights with others.

3. Enterprise and business architecture: Level 5 (SFIA)

Develops models and plans to drive the execution of the business strategy, taking advantage of opportunities to improve business performance. Contributes to creating and reviewing a systems capability strategy which meets the business’s strategic requirements. Determines requirements and specifies effective business processes, through improvements in technology, information or data practices, organisation, roles, procedures and equipment.

4. Innovation: Level 5 (SFIA)

Manages the innovation pipeline and executes innovation processes. Develops and adapts innovation tools, processes and infrastructures to drive the process of innovation. Identifies resources and capabilities needed to support innovation. Encourages and motivates innovation communities, teams and individuals to share creative ideas and learn from failures. Manages and facilitates the communication and open flow of creative ideas between interested parties and the set-up of innovation networks and communities.

5. Quality assurance: Level 4 (SFIA)

Plans, organises and conducts assessment activity and determines whether appropriate quality control has been applied. Conducts formal assessments or reviews for given domain areas, suppliers, or parts of the supply chain. Collates, collects and examines records, analyses the evidence and drafts all or part of formal compliance reports. Determines the risks associated with findings and non-compliance and proposes corrective actions. Provides advice and guidance in the use of organisational standards.

6. Requirements definition and management: Level 4 (SFIA)

Defines and manages scoping, requirements definition and prioritisation activities for initiatives of medium size and complexity. Contributes to selecting the requirements approach. Facilitates input from stakeholders, provides constructive challenge and enables effective prioritisation of requirements. Establishes requirements base-lines, obtains formal agreement to requirements, and ensures traceability to source.