Job Description

The NHS Counter Fraud Authority is the national body responsible for all matters relating to the prevention, detection and investigation of economic crime across the NHS. Further information about our work and annual plan for delivering this is available on our website.Our team are embarking on a piece of work to monitor data to identify and respond to patterns indicative of potential fraud. This will support our current work that reduces the likelihood of fraud occurring. We will bring in data science capabilities to be deployed in counter fraud activity and work closely with partners across health and government to further maximise the preventative impact of proactive counter fraud analysis. We will combine this with our range of counter fraud and domain expertise to maximise our impact using your knowledge experience and passion for your chosen field.We are excited to offer an opportunity for an enthusiastic skilled experienced Information Security Specialist to join our team. In this pivotal role you will collaborate with existing security specialists to provide an assured and compliant secure technology environment. The role requires that the post holder be eligible for or already hold UK National Security vetting to SC level. Fixed Term contract until 31st March 2026.Potential applicants can contact Simon Clark at simon.clark@nhscfa.gov.uk for an informal chat if you have any questions regarding the role. Interviews will be held w/c 24.3.25Main duties of the jobManage, maintain and improve Information Security governance, risk and compliance within the NHSCFA.Manage the NHSCFA ISO27001 programme, maintaining continuous certification to the Standard.Manage the NHS DSPT compliance programme.Contribute to accreditation to UK Government Public Services Network (PSN) requirements.Maintain constant awareness of changes in compliance requirements including updates to ISO standards, PSN and the NHS DSPT.Manage Information Security audit programs for ISO27001 and other compliance regimes including remediation of audit findings.About usWe have offices based in Coventry, Newcastle and London and offer flexible, hybrid, office and home-based working. In addition to the advertised salary working in the London area will attract High-Cost Area Supplement where appropriate. The NHSCFA values and respects the diversity of its employees and aims to recruit a workforce which reflects our diverse communities. We welcome applications irrespective of people's age, disability, gender, race or ethnicity, religion or belief, sexual orientation, or other personal circumstances. We have policies and procedures in place to ensure that all applicants are treated fairly and consistently at every stage of the recruitment process, including an invitation to the first stage of the selection process and consideration of reasonable adjustments for people who have a disability. If you are applying to undertake this role on a secondment basis you should have agreement to being released from your current role in principle, prior to submitting an application form. When you apply for this role, you will be redirected to our recruitment system TRAC. The NHSCFA does not hold a sponsor licence in respect of skilled worker visas and so is unable to employ candidates requiring sponsorship.We reserve the right to close this vacancy before the advertised closing date should we receive a significant number of applications.Date posted21 February 2025Pay schemeAgenda for changeBandBand 7Salaryxc2xa346,148 to xc2xa352,809 a yearContractFixed termDuration12 monthsWorking patternFull-time, Home or remote workingReference number076-CFA7014041Job locations7th Floor, HM Government Hub10 South Colonnade, Canary WharfLondonE14 4PUJob descriptionJob responsibilitiesManage the NHSCFA Cyber Risk Management process, producing comprehensive Risk Documentation in accordance with the National Cyber Security Centre best practice.Assess the effectiveness of Security Controls by conducting reviews, internal audits and spot-checks of ICT Security Infrastructure elements including, but not limited to: firewall, IDS/IPS, anti-malware, web and email filtering, MDM, SIEM, patch and vulnerability management.Support the ICT Security Incident Management Process, reviewing security incidents, weaknesses and malfunctions relating to the NHSCFAs systems, taking appropriate remedial action.Produce reports for Information security risk and compliance including KPIs and standards where applicable.Please see full and Person Specification Job descriptionJob responsibilitiesManage the NHSCFA Cyber Risk Management process, producing comprehensive Risk Documentation in accordance with the National Cyber Security Centre best practice.Assess the effectiveness of Security Controls by conducting reviews, internal audits and spot-checks of ICT Security Infrastructure elements including, but not limited to: firewall, IDS/IPS, anti-malware, web and email filtering, MDM, SIEM, patch and vulnerability management.Support the ICT Security Incident Management Process, reviewing security incidents, weaknesses and malfunctions relating to the NHSCFAs systems, taking appropriate remedial action.Produce reports for Information security risk and compliance including KPIs and standards where applicable.Please see full and Person SpecificationPerson SpecificationSpecialist KnowledgeEssential

• Experience of implementation and management of security technologies including: firewall, WAF, anti-malware, IDS/IPS, web filtering, email filtering, SIEM, patch management, MDM, DLP
• Demonstrate extensive knowledge of Information Security and assurance in the following areas:
• Cloud security (AWS, Azure, SaaS cloud applications)
• Virtualisation oISO27001
• Risk Management Process
• Security Monitoring and auditing
• Database security
• Production of IT security reports/MI for relevant parties
• Security due diligence and security assurance reviews of 3rd party suppliers
• Working with a combination of outsourced and in-house IT provision

Desirable

• Experience and knowledge of some of the following:
• ICT application security architecture and design
• Software security architecture
• Digital Forensics
• Public Services Network (PSN) and NHS HSCN
• Penetration Testing
• Network (LAN/WAN) security
• Experience of designing IT security mitigation measures to meet information security work-based assessments

Knowledge and ExperienceEssential

• Detailed technical knowledge across a diverse range of areas including web technologies, applications and services, information systems and cloud infrastructure, and managed service architectures.
• Experience of developing, implementing and maintaining ISO27001 certification.
• Experience of designing and recommending appropriate controls to enable the achievement of IT security and wider business goals.
• Experience of evaluating threat intelligence data from multiple sources to inform decision making.

Desirable

• Has a real interest in Information Security and ensures they keep up to date with the latest security news.
• Management of NHS DSPT compliance
• Line management experience

QualificationsEssential

• Degree or equivalent in an Information Technology or related field, or significant demonstrable experience.
• ISO27001 Lead Auditor
• A professional certification or qualification in Information Security Management (e.g. CRISC, CISA, CSA-CCSK, CSA-CCAK) or other relevant professional Information Security qualification.

Desirable

• EC-Council Certified Ethical Hacker
• ISO27001 Lead Implementor
• Microsoft Certified: Azure Security Engineer Associate
• ITIL foundation
• Comptia Security+

VettingEssential

• Eligible for UK National Security vetting to SC level.

Desirable

• Has UK National Security vetting at SC above

Communication SkillsEssential

• Clearly demonstrates impactful communication skills (oral, written and presentation) in both formal and informal settings, articulating complex ideas to broad audiences

Person SpecificationSpecialist KnowledgeEssential

• Experience of implementation and management of security technologies including: firewall, WAF, anti-malware, IDS/IPS, web filtering, email filtering, SIEM, patch management, MDM, DLP
• Demonstrate extensive knowledge of Information Security and assurance in the following areas:
• Cloud security (AWS, Azure, SaaS cloud applications)
• Virtualisation oISO27001
• Risk Management Process
• Security Monitoring and auditing
• Database security
• Production of IT security reports/MI for relevant parties
• Security due diligence and security assurance reviews of 3rd party suppliers
• Working with a combination of outsourced and in-house IT provision

Desirable

• Experience and knowledge of some of the following:
• ICT application security architecture and design
• Software security architecture
• Digital Forensics
• Public Services Network (PSN) and NHS HSCN
• Penetration Testing
• Network (LAN/WAN) security
• Experience of designing IT security mitigation measures to meet information security work-based assessments

Knowledge and ExperienceEssential

• Detailed technical knowledge across a diverse range of areas including web technologies, applications and services, information systems and cloud infrastructure, and managed service architectures.
• Experience of developing, implementing and maintaining ISO27001 certification.
• Experience of designing and recommending appropriate controls to enable the achievement of IT security and wider business goals.
• Experience of evaluating threat intelligence data from multiple sources to inform decision making.

Desirable

• Has a real interest in Information Security and ensures they keep up to date with the latest security news.
• Management of NHS DSPT compliance
• Line management experience

QualificationsEssential

• Degree or equivalent in an Information Technology or related field, or significant demonstrable experience.
• ISO27001 Lead Auditor
• A professional certification or qualification in Information Security Management (e.g. CRISC, CISA, CSA-CCSK, CSA-CCAK) or other relevant professional Information Security qualification.

Desirable

• EC-Council Certified Ethical Hacker
• ISO27001 Lead Implementor
• Microsoft Certified: Azure Security Engineer Associate
• ITIL foundation
• Comptia Security+

VettingEssential

• Eligible for UK National Security vetting to SC level.

Desirable

• Has UK National Security vetting at SC above

Communication SkillsEssential

• Clearly demonstrates impactful communication skills (oral, written and presentation) in both formal and informal settings, articulating complex ideas to broad audiences

NHS