Information Security Advisor

OBJECTIVE OF THE OFFICE/DEPARTMENT

This requisition is for employment at the Pan American Health Organization (PAHO)/Regional Office of the World Health Organization (WHO)

The Information Technology Services Department (ITS) provides leadership, direction and support in the use of information technology (IT) systems and services to support the Pan American Health Organization in carrying out its mandate. ITS is also responsible for information and cyber security across the Organization. ITS establishes and maintains IT-related strategies, policies, standards and procedures. The Department ensures the effective and efficient provision of information technology and telecommunication services across a geographically dispersed environment.

DESCRIPTION OF DUTIES

Under the general guidance of the Director of Administration (AM), and the direct supervision of the Director, Information Technology Services (ITS), the incumbent is responsible for, but not necessarily limited to the following assigned duties:

1. Develop, implement, and monitor PAHO’s Information Systems Security (ISS) program; research, develop and implement information security policies, procedures, guidelines, and standards to enable PAHO employees to work in a secure and reliable IT systems environment;
2. Lead the evaluation of the potential and the probability for unauthorized access (both from internal and external individuals) to all PAHO systems and databases; recommend measures to prevent such access, and enforce the implementation of recommended measures; interface with other stakeholders to ensure that systems managed outside of ITS are aligned to PAHO security controls and standards; lead testing and evaluation of IT security mechanisms and procedures designed to deal with IT security incidents and emergencies, e.g. viruses, malware, data breaches, system intrusions, or system failures;
3. Lead Information Security incident response efforts in close coordination with management, IT Operations, key stakeholders, internal communications, and crisis management team (CMT) members when necessary;
4. Oversee the design and execution of global vulnerability and risk assessments to: a) ascertain the current state of PAHO information security and identify areas of high, medium, and low risk for loss of information; b) identify systems across the Organization that are considered sensitive and their associated risks; and c) evaluate the capability of PAHO to manage the risks to the network; d) make recommendations and develop risk mitigation action plans to address the risks identified during the assessments; e) maintain Business Continuity action plans related to information security;
5. Collaborate with the Office of the Legal Counsel, Enterprise Risk Management, and other oversight functions to conduct reviews/audits, recommend policies and procedures, monitor status, and report violations;
6. Coordinate with the Chief Investigator, Internal and External Auditors when their investigations cover the topic of data protection and privacy; provide metrics or other technical information, as appropriate, during such investigations;
7. Evaluate all projects proposed to IT Governance and provide a comprehensive analysis and advice as to their integration into PAHO’s enterprise architecture, standards, and information security; participate in all IT projects across the Organization and provide advice on information security and IT risks, to ensure the solutions delivered are in compliance with the security needs of the Organization;
8. Prepare and present regular reports for oversight bodies on the status of Information Security; advise Executive Management on issues related to Information Security, IT risks, and data privacy and protection;
9. Lead data protection technical impact assessments to identify and manage data privacy risks and data classification needs arising from new projects and existing systems and processes, in accordance with the established policies; ensure data processed and stored by IT systems and applications is aligned with local / international data protection and privacy requirements and best practices;
10. Advise IT personnel across all entities, including PWRs, regarding the best design technologies and implementation methodologies for ensuring the security of data when implementing and deploying information systems;
11. Develop and implement information security awareness programs to train PAHO staff on the proper use of PAHO’s hardware and software with the goal of keeping the systems, network, and data as secure as possible;
12. Plan, monitor, implement and assess assigned programs/projects related to information security and data privacy and protection; participate in budget preparation, evaluation, and monitoring with a Results Based Management framework. Manage and report on budget and expenditures related to the area of work;
13. Collaborate with other Information Security Officers at WHO, the UN, or other international organizations to improve PAHO’s security practices through joint efforts or through the adoption of best practices from these other organizations; lead reviews of protection and security of data, systems and infrastructure and make recommendations for ensuring that PAHO has a solid, viable Business Continuity Plan; actively participate in the periodic testing of the Business Continuity Plan and provide recommendations for improvements;
14. Review and evaluate the security-related findings of the Information and Communications Technology (ICT) assessments and audits, and lead the implementation of the recommended actions. Where appropriate, conduct IT risk assessments in other entities and country offices.
15. When called upon to directly supervise personnel, establish clear work objectives, conduct timely and effective performance appraisals, provide coaching and feedback, and support staff development opportunities;
16. Perform other related duties, as assigned.

REQUIRED QUALIFICATIONS

Education:

Essential: A bachelor’s degree and a master’s degree in computer sciences, information management, information technology or a related field from a recognized university. Certification in Information Systems Security such as CISSP, CRISC, CISM is required.

Desirable: Certification in Data Privacy such as CDPSE, CIPT, CIPM would be an asset.

In the event that your candidature is retained for an interview, you will be required to provide, in advance, a scanned copy of the degree(s)/diploma(s)/certificate(s) required for this position. WHO, only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU) / United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link: http://www.whed.net/. PAHO will also use the databases of the Council for Higher Education Accreditation http://www.chea.org and College Navigator, found on the website of the National Centre for Educational Statistics, https://nces.ed.gov/collegenavigator to support the validation process.

Experience:

Essential: Nine years of combined national and international experience in information security.

Desirable: Work experience within an international or multinational organization would be an asset.

SKILLS:

PAHO Competencies:

• Overall attitude at work: Maintains integrity and takes a clear ethical approach and stance; demonstrates commitment to the Organization’s mandate and promotes the values of the Organization in daily work and behavior; is accountable for work carried out in line with own role and responsibilities; is respectful towards, and trusted by, colleagues and counterparts.
• Respecting and promoting individual and cultural differences: Relates well to diversity in others and capitalizes on such diversity. Treats all people with dignity and respect. Relates well to people with different cultures, gender, orientations, backgrounds and/or positions; examines own behavior to avoid stereotypical responses; considers issues from the perspective of others and values their diversity.
• Teamwork: Advocates for collaboration across the Organization. Creates and encourages a climate of team- working and collaboration across the Organization; sees cooperation as a key Organizational priority and creates collaborative systems and processes to achieve Organizational goals.
• Communication: Share knowledge - Shares relevant information openly and ensures that the shared information is understood; considers knowledge sharing as a constructive working method and demonstrates awareness of the Organization.
• Producing Results: Work efficiently and independently/Deliver quality results Monitors own and others’ work in a systematic and effective way, ensuring required resources and outputs. Aligns projects with Organization’s mission and objectives. Consistently solves own and team’s problems effectively as needed. Takes responsibility. Proactively engages in projects and initiatives, accepting demanding goals, in line with Organizational Strategies and Program of Work. Demonstrates accountability for work of team and sets an example, while explicitly articulating lessons learnt for own and team’s benefit.
• Moving forward in a changing environment: Propose change/Adapt to change - Actively supports Organizational change initiatives and demonstrates personal commitment to them, including when faced with new demands; proposes workable solutions to challenging situations. Engages in positive responses to a changing environment and promotes workable solutions to achieve own and team’s results. Welcomes, and actively seeks to apply, new ideas, approaches and working methods and technologies in order to improve own and/or team’s work processes and results; demonstrates commitment to Organizational change initiatives.
• Ensuring Effective use of resources: Strategize and set clear objectives/Monitor progress and use resources well Sets specific, measurable, attainable, realistic and timely objectives for own team and/or the Organization; systematically analyses and anticipates priority projects for own team and allocates necessary resources to achieve them; identifies the cross-Organizational resources needed for large- scale projects in line with key Organizational objectives. Anticipates foreseeable changes and adapts own and team’s projects in the face of unforeseen circumstances and/ or challenges; creates measures and criteria to monitor progress of overall projects against key Organizational objectives; creates cost-effective solutions for the Organization.

Technical Expertise:

• Theoretical and proven technical skills in on-premises and cloud computing technologies, TCP/IP based networking, IT security measures, Information Security frameworks risk management as it applies to networks, remote support, administration of offsite networks, technical reviews of IT operations, data protection, formulation of policies related to the use of technology and familiarity with business continuity requirements.
• Proficient in critical, in-depth analysis; training IT personnel and the general staff throughout the Organization in sound security practices.
• Proven expertise in Information Security Governance across multiple systems, platforms, and geographic location.
• Proven technical expertise in Information Security domains measured by certifications such CISSP, CRISC and CISM.
• Thorough knowledge of concepts and technical skills in systems analysis, software development, application security, data migration, systems documentation, and management of systems development projects.
• In depth knowledge of Microsoft Operating Systems (client and server), Network Security (IPS/IDS/Firewalls/Web filters), Anti malware technologies, log management and security analytics systems, threat information gathering and interpretation, cryptography, vulnerability management, cloud technologies, and identity and access management.
• Knowledge of ISO27001:2013 and NIST 800-53 standard controls and methods of achieving compliance with the standards.
• Strong professional oral and writing skills, including the development of reports, oral presentations, and technical/persuasive documents for consideration at the highest levels of the Organization.

Languages:

Very good knowledge of English or Spanish with a working knowledge of the other language. Knowledge of French and/or Portuguese would be an asset.

IT Skills:

Demonstrated ability to effectively utilize software programs such as Microsoft Office, Word, Excel, PowerPoint, Visio, SharePoint and Project. In addition, the incumbent should have advanced skills in the use of software tools in the domain of information security.

REMUNERATION

Annual Salary: (Net of taxes)

US $ 74,913.00 post adjustment

Post Adjustment: 49.6% of the above figure(s). This percentage is to be considered as indicative since variations may occur each month either upwards or downwards due to currency exchange rate fluctuations or inflation.

ADDITIONAL INFORMATION

This vacancy notice may be used to fill other similar positions at the same grade level.

Only candidates under serious consideration will be contacted.

A written test may be used as a form of screening.

Any appointment/extension of appointment is subject to PAHO Staff Regulations, Staff Rules and e-Manual.

For information on PAHO please visit: http://www.paho.org

PAHO/WHO is committed to workforce diversity.

PAHO/WHO has a smoke-free environment and does not recruit smokers or users of any form of tobacco.

PAHO/WHO offers an attractive compensation package including an annual net salary and post adjustment, which reflects the cost of living in a particular duty station and exchange rates (subject to mandatory deductions for pension contributions and health insurance). Other benefits include: 30 days annual leave, dependency benefits, pension plan and health insurance scheme. Benefits for internationally recruited staff may include home leave, travel and removal expenses on appointment and separation, education grant for dependent children, assignment grant and rental subsidy.

Candidates appointed to an international post with PAHO are subject to mobility and may be assigned to any activity or duty station of the Organization throughout the world.

All applicants are required to complete an on-line profile to be considered for this post.

Candidates will be contacted only if they are under serious consideration. A written test and/or interview will be held for this post. The post description is the official documentation for organization purposes.