Org. Setting and Reporting

The incumbent of this Bangkok-based position will primarily report to the Chief, Information Management, Communications and Technology Section (IMCTS), Division of Administration, United Nations Economic and Social Commission for Asia and the Pacific (ESCAP). Additional supervision will be provided by the New York-based Chief, Cybersecurity Service (CSS), Office of Information and Communications Technology (OICT). The Cyber Security Officer is responsible for conducting evaluations/assessments of information and communication technologies (ICT) systems and projects to determine compliance with established cyber security policies and procedures. The Cyber Security Officer recommends, reviews, and validates information security controls and manages the planning and implementation of projects and operational activities that are related to information security compliance and information risk management. The Office of Information and Communications Technology (OICT) is leading the digital transformation of the Organization to enable a better, safer, more sustainable future through secure, reliable, and innovative technology solutions. OICT is committed to achieving 50/50 gender balance and geographical diversity in its staff, and female candidates are strongly encouraged to apply for this position. OICT supports the principles of work-life balance and flexible work arrangements.

Responsibilities

Within limits of delegated authority, the Cyber Security Officer will be responsible for the following duties: a. Design, implement, and monitor cyber security systems of controls in place to ensure that the Organisation complies with applicable UN internal regulatory and compliance requirements. b. Provide guidance on designing, implementing, auditing, and conducting compliance testing activities to ensure adherence to cyber security compliance requirements. c. Provide guidance in the design and implementation of applicable cyber security frameworks, and ensure its policies, processes, procedures, and controls are appropriately mapped to relevant UN internal regulatory and compliance requirements. d. Continuously assess the efficiency and effectiveness of control systems, recommend necessary remediations and propose steps for improvements to ensure ongoing compliance. e. Develop the organisation’s vulnerability management strategy. f. Develop procedures for the organisation on patch and vulnerability management, including automated patch deployment, assessment procedures, and procedures for remediation. g. Coordinate with appropriate teams to ensure prioritization of patching and mitigations to vulnerabilities. h. Contribute to the development of the organisation’s cyber security strategy, policy, and procedures in consultation with senior management and legal team, as necessary. i. Provide guidance in the discussions regarding existing initiatives from security, compliance, and risk perspectives. j. Routinely monitor and validate information security controls to ensure compliance with mandatory requirements, identify irregularities, risks, and potential weaknesses, and use this insight to develop and implement best practices and process improvements for the organisation’s information systems. k. Develop monitoring methods to track and evaluate compliance efforts, e.g., dashboards. l. Participate in review of the cyber security programmes in collaboration with risk and governance and provide advice to ensure their alignment with organisational requirements. m. Provide security guidance and advice to users and ICT specialists to ensure the cyber security of the organisation and achieve compliance. n. Coordinate with external security auditors and penetration testers to verify security of information systems and to identify and remedy vulnerabilities. o. Act as the main focal point for the coordination of required activities to address security vulnerabilities. p. Prepare concise reports based on penetration test outcomes to communicate remediation recommendations to relevant stakeholders. q. Train staff on security processes and procedures and actively participate in the security response process. r. Monitor compliance of identity and access management (IAM) with access control policy and relevant technical procedures. s. Keep abreast of the current and emerging security issues, risks, threats, vulnerabilities, and advancements in cyber security techniques and technologies.

Competencies

Professionalism: Knowledge of cyber security industry standards, methodologies and frameworks and ability to adapt and integrate subsequent changes. Knowledge of cyber security compliance monitoring and controls. Knowledge of current and emerging cyber security threat landscape, attack methodologies, tools, technologies, and mitigation/remediation methods. Knowledge of cyber threats, network and application security principles, common vulnerabilities, and exploits. Shows pride in work and in achievements. Demonstrates professional competence and mastery of subject matter. Is conscientious and efficient in meeting commitments, observing deadlines and achieving results. Is motivated by professional rather than personal concerns. Shows persistence when faced with difficult problems or challenges; remains calm in stressful situations. Takes responsibility for incorporating gender perspectives and ensuring the equal participation of women and men in all areas of work. Planning and organizing: Develops clear goals that are consistent with agreed strategies. Identifies priority activities and assignments; adjusts priorities as required. Allocates appropriate amount of time and resources for completing work. Foresees risks and allows for contingencies when planning. Monitors and adjusts plans and actions as necessary. Uses time efficiently. Client orientation: Considers all those to whom services are provided to be “clients” and seeks to see things from clients’ point of view. Establishes and maintains productive partnerships with clients by gaining their trust and respect. Identifies clients’ needs and matches them to appropriate solutions. Monitors ongoing developments inside and outside the clients’ environment to keep informed and anticipate problems. Keeps clients informed of progress or setbacks in projects. Meets timeline for delivery of products or services to client.

Education

Advanced university degree (Master's degree or equivalent degree) in computer science, information systems, mathematics, statistics, information security, cyber security, or a related field. A first-level university degree in combination with qualifying experience may be accepted in lieu of the advanced university degree.

Job - Specific Qualification

An active certificate in Information Security (e.g., CISM, CISSP) or equivalent is desirable and may be accepted as substantiation of candidates' proficiency in the requisite knowledge, skills, and abilities for this position.

Work Experience

A minimum of seven years of progressively responsible experience demonstrating the knowledge, skills, and abilities indicated below is required (excluding non-required criteria). Demonstrated knowledge of governance, risk and/or compliance management practices in dynamic and complex cyber security, information security, ICT and business environment, and ability to apply them is required. Demonstrated ability to identify systemic security issues based on the analysis of vulnerability and configuration data is required. Demonstrated skill in using network analysis tools to identify vulnerabilities (e.g., fuzzing, nmap, etc.) and penetration testing tools and techniques is required.

Languages

English and French are the working languages of the United Nations Secretariat. For the position advertised, fluency in English is required. Knowledge of another official United Nations language is an advantage.

Assessment

Qualified applicants may be evaluated through a competency-based interview and/or other assessment methods.

Special Notice

Appointment or assignment against this position is for an initial period of one year. Any extension of appointment is subject to satisfactory performance and continued availability of funds. Staff members are subject to the authority of the Secretary-General and to assignment by him or her. In this context, all staff are expected to move periodically to new functions in their careers in accordance with established rules and procedures. At the United Nations, the paramount consideration in the recruitment and employment of staff is the necessity of securing the highest standards of efficiency, competence and integrity, with due regard to geographic diversity. All employment decisions are made on the basis of qualifications and organizational needs. The United Nations is committed to creating a diverse and inclusive environment of mutual respect. The United Nations recruits and employs staff regardless of gender identity, sexual orientation, race, religious, cultural and ethnic backgrounds or disabilities. The United Nations Secretariat is committed to achieving 50/50 gender balance and geographical diversity in its staff. Female candidates are strongly encouraged to apply for this position. Pursuant to section 6.9 of ST/AI/2010/3/Rev. 1, interns, consultants, individual contractors and gratis personnel may not apply for or be appointed to any vacancy in the Professional or higher categories within six months of the end of their current or most recent service. Pursuant to section 7.11 of ST/AI/2012/2/Rev.1, candidates recruited through the young professionals programme who have not served for a minimum of two years in the position of their initial assignment are not eligible to apply to this position. Applicants, who successfully go through a competitive recruitment process and are recommended for selection and/or inclusion in the roster of pre-approved candidates for subsequent job openings at the same level and with similar functions, may have their application information and roster status shared with other UN Organizations. Such applicants may be contacted by other UN Organizations for similar job openings, subject to the confirmation of their interest. Placement on the roster is no guarantee of a future selection.

United Nations Considerations

According to article 101, paragraph 3, of the Charter of the United Nations, the paramount consideration in the employment of the staff is the necessity of securing the highest standards of efficiency, competence, and integrity. Candidates will not be considered for employment with the United Nations if they have committed violations of international human rights law, violations of international humanitarian law, sexual exploitation, sexual abuse, or sexual harassment, or if there are reasonable grounds to believe that they have been involved in the commission of any of these acts. The term “sexual exploitation” means any actual or attempted abuse of a position of vulnerability, differential power, or trust, for sexual purposes, including, but not limited to, profiting monetarily, socially or politically from the sexual exploitation of another. The term “sexual abuse” means the actual or threatened physical intrusion of a sexual nature, whether by force or under unequal or coercive conditions. The term “sexual harassment” means any unwelcome conduct of a sexual nature that might reasonably be expected or be perceived to cause offence or humiliation, when such conduct interferes with work, is made a condition of employment or creates an intimidating, hostile or offensive work environment, and when the gravity of the conduct warrants the termination of the perpetrator’s working relationship. Candidates who have committed crimes other than minor traffic offences may not be considered for employment. Due regard will be paid to the importance of recruiting the staff on as wide a geographical basis as possible. The United Nations places no restrictions on the eligibility of men and women to participate in any capacity and under conditions of equality in its principal and subsidiary organs. The United Nations Secretariat is a non-smoking environment. Reasonable accommodation may be provided to applicants with disabilities upon request, to support their participation in the recruitment process. By accepting a letter of appointment, staff members are subject to the authority of the Secretary-General, who may assign them to any of the activities or offices of the United Nations in accordance with staff regulation 1.2 (c). Further, staff members in the Professional and higher category up to and including the D-2 level and the Field Service category are normally required to move periodically to discharge functions in different duty stations under conditions established in ST/AI/2023/3 on Mobility, as may be amended or revised. This condition of service applies to all position specific job openings and does not apply to temporary positions. Applicants are urged to carefully follow all instructions available in the online recruitment platform, inspira, and to refer to the Applicant Guide by clicking on “Manuals” in the “Help” tile of the inspira account-holder homepage. The evaluation of applicants will be conducted on the basis of the information submitted in the application according to the evaluation criteria of the job opening and the applicable internal legislations of the United Nations including the Charter of the United Nations, resolutions of the General Assembly, the Staff Regulations and Rules, administrative issuances and guidelines. Applicants must provide complete and accurate information pertaining to their personal profile and qualifications according to the instructions provided in inspira to be considered for the current job opening. No amendment, addition, deletion, revision or modification shall be made to applications that have been submitted. Candidates under serious consideration for selection will be subject to reference checks to verify the information provided in the application. Job openings advertised on the Careers Portal will be removed at 11:59 p.m. (New York time) on the deadline date.

No Fee

THE UNITED NATIONS DOES NOT CHARGE A FEE AT ANY STAGE OF THE RECRUITMENT PROCESS (APPLICATION, INTERVIEW MEETING, PROCESSING, OR TRAINING). THE UNITED NATIONS DOES NOT CONCERN ITSELF WITH INFORMATION ON APPLICANTS’ BANK ACCOUNTS.