JOB SUMMARY

This role is an exciting position in the Cyber Resilience Centre, part of DWP Security and Data Protection.
The Security Monitoring & Investigations Team (SMI) plays a vital role in securing the DWP estate; ensuring that service delivery is not affected by potential malicious activity from either internal or external threat actors. The team operates in a dynamic environment at the forefront of the Department’s cyber protection capability.
This role is for a Digital Forensics Incident Response Lead who will have responsibility for leading and co-ordinating the technical response to security incidents including digital forensics. They will manage people and work across the team, and will provide expert technical advice to incident managers as well as wider stakeholders to ensure robust resolutions.

JOB DESCRIPTION

This role is an exciting position in the Cyber Resilience Centre, part of DWP Security and Data Protection.
The Digital Forensics Incident Response Lead will lead and direct technical investigations including digital forensics, that arise from security incidents. They will be responsible for ensuring that all legal and internal compliance standards are maintained and for producing and reviewing technical reports with appropriate recommendations.
They will provide expert technical advice to all internal stakeholders and will work with teams across DWP to develop and improve cyber response strategies and forensic and investigation capabilities.
They will be actively involved in all stages of incident response, from identification and containment through to eradication and recovery. They will respond quickly and decisively to minimise the impact of any cyber-attack to the organisation and will make appropriate recommendations to prevent an incident from recurring.
They will manage and develop a virtual team of analysts focused on the identification and investigation of cyber security incidents, as well as the proactive detection and investigation of potential indicators of compromise or malicious activity on DWP systems. They will provide co-ordination of the technical response to security incidents, collaborating with stakeholders across the DWP to ensure an effective and proportionate mitigations are applied.

TECHNICAL SKILLS

We’ll assess you against these technical skills during the selection process:

• Forensics (Government Cyber Security Profession Skills Framework Practitioner level)
• Incident Management, Incident Investigation and Response (Government Cyber Security Profession Skills Framework – Practitioner level)
• Intrusion Detection and Analysis - (Government Cyber Security Profession Skills Framework – Expert level)
• Threat Understanding - Government Cyber Security Profession Skills Framework – Practitioner level)

PROVEN TRACK RECORD IN CYBER SECURITY OR DIGITAL FORENSICS, WITH EXPERIENCE USING A VARIETY OF CYBER SECURITY AND DIGITAL FORENSIC TOOLS AND OF ANALYSING LARGE DATASETS. THIS SHOULD INCLUDE SUPPORTING QUALIFICATIONS AND APPLICABLE EXPERIENCE.

Candidates who pass the initial sift will be progressed to a full sift.
The sift panel will use the information relating to your employment history (your CV) and your personal statement of suitability, to assess your experience, skills and knowledge. When giving details of your employment history, you should therefore include details of the work and projects that you have been involved in, and your role therein.

APPLICATIONS MUST INCLUDE:

A. A completed Personal Details application form.
B. A curriculum vitae* with education, professional qualifications and full employment history, giving details of key achievements relevant to the skills and experience outlined in this job description.
C. A personal statement. In no more than 1000 words, please demonstrate how you meet the essential criteria, outlined in the ‘Person Specification’ section of the job advert.

NATIONALITY REQUIREMENTS

This job is broadly open to the following groups:

• UK nationals
• nationals of the Republic of Ireland
• nationals of Commonwealth countries who have the right to work in the UK
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities with settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• nationals of the EU, Switzerland, Norway, Iceland or Liechtenstein and family members of those nationalities who have made a valid application for settled or pre-settled status under the European Union Settlement Scheme (EUSS)
• individuals with limited leave to remain or indefinite leave to remain who were eligible to apply for EUSS on or before 31 December 2020
• Turkish nationals, and certain family members of Turkish nationals, who have accrued the right to work in the Civil Service

Further information on nationality requirements

TYPE OF ROLE

Analytical
Digital
Information Technology
Security

RESPONSIBILITIES

Successful candidates can expect to be involved in a range of the following:

• Support the DWP Security Incident Response Team (SIRT) by providing expert technical input to on-going investigations in relation to the mitigation, detection and response to potential cyber-attacks.
• Deliver the team strategy, implementing agreed policies, standards and processes as required to support the work of the Digital Forensics Incident Response Team.
• Lead and direct forensic investigations that arise from security incidents ensuring that all legal and internal compliance standards are maintained and that all outputs and reports are fit for purpose.
• Provide expert technical advice to internal DWP stakeholders as well as DWP partners and work across the Department to develop and improve cyber response strategies and forensic and investigation capabilities.
• Receive, analyse and interpret reports of technical, threat and vulnerability information from all sources of intelligence. This includes outputs from DWP systems as well as intelligence from OGD partners; knowledge exploitation, and open-source information. Use the information for the identification of threats across the DWP estate.
• Produce and review technical reports following security incident investigations, including recommendations for resolving or mitigating control failures and actively contribute to lessons learned exercises.
• Lead, direct and manage a virtual team of security analysts focused on the technical investigation of security incidents, ensuring resources are assigned to the key threat areas and workloads organised appropriately to deal with competing demands.
• Direct and co-ordinate technical incident response activities across the wider DFIR function, providing effective communications and coordinating activities across the team, involving expert domains and stakeholders timeously, as appropriate, to ensure an effective and cohesive response.
• Perform complex analysis in a high-pressure environment encouraging analysts to demonstrate adaptability and creativity, always demonstrating professionalism, and upholding the team’s credibility across DWP.
• Provide timely intervention to protect the DWP IT Estate through operating and directing containment processes to isolate and prevent the spread of attacks.
• Develop influential relationships with key stakeholders across the Department to support improvement activities to mitigate the risks from malicious activity.
• Adhere to Association of Chief Police Officers (ACPO) guidelines for investigations, maintaining chain of custody records for evidential or intelligence items.
• Present evidence as appropriate, acting as an expert witness if necessary.

The Security Monitoring and Investigations team operates 24 hours a day, 7 days a week and as a result, post holders may be required to work as part of an on-call rota and to work outside of usual office hours as investigations dictate. Travel to different DWP sites and Government agencies with occasional overnight stays will also be required.