OCIO-0014 Enterprise Risk Management Supporting Officer (NS) - MON 23 Jan

Deadline Date: Monday 23 January 2023

Requirement: Enterprise Risk Management Supporting Officer

Location: Brussels, BE

Full time on-site: Yes

NATO Grade: A3/G17/88

Total Scope of the request (hours): 1672

Required Start Date: As soon as possible, but no later than 23 February 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Annex A – Special Terms and Conditions

The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes, social security etc. whilst working on site at NATO HQ Brussels, Belgium.

No special status is either conferred or implied by the host organisation, NATO HQ Brussels, Belgium to the contractor whilst working on-site.

The contractor will be responsible for complying with all the respective National Health COVID-19 regulations in Belgium before taking up the position.

1. INTRODUCTION

NATO is undergoing a major adaptation of its overall approach to cybersecurity. As part of its mandate, the NATO Chief Information Officer (CIO) is overseeing the coherence of the NATO Enterprise ICT (Information Communication Technology) capabilities and services and is the single point of authority (SPA) for cybersecurity. The NATO CIO is responsible for developing and implementing a cybersecurity strategy through a comprehensive cyber adaptation programme. This includes significant interaction with executive stakeholders, both military and civilian, required to oversee the NATO Enterprise coherence and cybersecurity efforts.

As part of its mandate, the Office of the NATO CIO (OCIO) needs to execute and enforce the role of SPA for cybersecurity, which includes the assessment of the Enterprise Surface of Attack and the management of eventual cybersecurity risks stemming from NATO CIS and assets.

Within this framework, the OCIO has developed a series of projects to support the Enterprise ICT coherence and cybersecurity, developing and refining the Enterprise Risk Management processes and tools.

The aim is to use a deeper integration of existing cyber-related processes (e.g. Accreditation, Threat Assessment, Capability Development etc.) into the Risk Management Process and Framework to improve the baseline level of support to existing Cyber Risk Management enabling tools (e.g. Registries, assessment tools, up-to-date maps).

In this context, the support to the Board of CISOA portal and to the risk management process of the various NATO CIS Operational Authorities Enterprise-wide is essential. The OCIO aims at better integrating the functionalities of the Enterprise Risk Management tool prototype (portal) and further improving coherence, information sharing and Situational Awareness in the area of risk management in support of the OCIO’s role of main NATO Enterprise Risk Owner.

TASKS

The contractor will effectively and efficiently provide, with minimal supervision, the following services, with a special focus on cybersecurity risk management:

2.1 Expand the functionalities of the Enterprise Risk Management tool prototype (portal) supporting the Cyber Risk Management enabling tools (e.g. Registries, assessment tools, up-to-date maps). The portal is used as a baseline to include additional features in support of the accreditation process, coordinated with all recognised Security Accreditation Process Stakeholders (SAAs, CISOAs, CISPs and CISPIAs) by the OCIO itself.

o Measurement: To the NATO CIO satisfaction with the degree of support provided in managing and supporting the Cyber Risk Management enabling tools (e.g. Registries, assessment tools, up-to-date maps) ;

2.2 Support the integration of existing cyber-related processes (e.g. Accreditation, Threat Assessment, Capability Development etc.) into the Risk Management Process and Framework, by integrating and feeding the necessary inputs.

o Measurement: The degree and quality of support in the development of Risk Management Process and Framework, taking into consideration existing risks and methodologies.

2.3 Develop and coordinate the work to support the ‘Board of CISOA portal’ and to improve and facilitate the risk management process of the various NATO CIS Operational Authorities, Enterprise-wide, including CISOAs able to operate prioritization of CIS and services.

o Measurement: The degree and quality of support to the BCISOA portal and the improvement in the risk management process as a consequence of said support.

2.4 Improve coherence, information sharing and situational awareness in the area of risk management in support of the OCIO role of main NATO Enterprise Risk Owner.

o Measurement: The degree and quality of support to information sharing and situational awareness over Enterprise risk status in support of decision-making function of ECISOA.

2. PROFILE

[See Requirements]

3. LOCATION OF DUTY

The work will be executed primarily on site at the NATO HQ offices in Brussels, Belgium. Frequent travels or short deployments to NATO Command Structure bodies would be required. Due to the nature of the work, minimal teleworking can be foreseen.

4. TIMELINES

The services of the contractor are required for the period starting 23rd of February 2023 until 31 December 2023.

5. SPECIFIC WORKING CONDITIONS

Secure environment with standard working hours. Occasional non-standard hours may be required in support of the NATO Chief Information Officer urgent tasks.

6. TRAVEL

Occasional business travel may be required. Travel expenses to be reimbursed to the individual directly (in addition to the hourly rate) under NATO rules.

7. SECURITY AND NON-DISCLOSURE AGREEMENT

The contractor must be in possession or capable of possessing a security clearance of NATO SECRET.

A signed Non-Disclosure Agreement will be required.

Requirements

2. PROFILE

• The candidate must have a currently active NATO SECRET security clearance
• The candidate must have previous experience within NATO and/or Industry Enterprise Risk Assessment and Management methodologies and tools (e.g. PILAR);
• The candidate must have knowledge and multiyear experience in organization, management and support of various (international) operations, activities, units and projects related to defence, security, electronics and communications, in the NATO environments.
• The job requires knowledge of the NATO and Industry risk management frameworks;
• The candidate must have previous experience within NATO and/or Industry Risk Assessment and Management
• The job requires experience with Risk Assessment and Risk Management as applied to CIS Security and Cybersecurity fields;
• The candidate must have experience in leading staff work within large and complex projects and in coordinating multiple stakeholders in different and separate locations;
• The candidate must have excellent English writing skills and the ability to brief their work in English;
• The knowledge and working experience with Risk Assessment and Management methodologies (e.g. ISO 27001) and related tools (e.g. PILAR) is preferred;