| Description: |
Job title: Security Lead - DV Cleared-(Contract Outside IR35)
Location: UK only. Hybrid with attendance at client locations across the UK. Some client secure-area work required
Employment type: Contract Outside IR35
Experience: 5+ years
Security Clearance: DV (Developed Vetting) and UK Nationality - MANDATORY. Pre-cleared candidates strongly preferred
1. Role purpose
The Security Lead is our accountable security owner for the managed service. The role leads on, and has day-to-day operational responsibility for, service security - working in collaboration with the client's Information & Security function, the client Security Operations Centre (SOC), the internal delivery team, and the third-party software vendor.
2. Context
The service processes HR, Finance and Project data including OFFICIAL-SENSITIVE personal and financial data. The contractual security regime spans UK Government security policy, NCSC HMG IAS5, GDPR/DPA 2018, PCI-DSS where applicable, and the client's Cyber Security Incident Response Plan.
3. Key accountabilities
3.1 Day-to-day security leadership
Lead and own day-to-day operational responsibility for service security.
Advise the client on security status and matters; identify and address risks; continuously maintain and improve the security posture.
Act as the authoritative security voice in the client's Design Authority and Enterprise Architecture forums for security-impacting changes.
3.2 Security operations and SOC integration:
Provide the required reports to the client SOC in agreed format and frequency.
Support the SOC in resolving security incidents; document security use cases with the SOC; implement, maintain and support those SOC infrastructure components hosted within the cloud infrastructure.
Co-ordinate response to security incidents with the client's Cyber Security Incident Response Plan and ensure the Incident Manager and Service Delivery Manager are informed and aligned.
3.3 Assurance, audit and compliance:
Treat information security issues, weaknesses or deficiencies identified by the client as Security Incidents under the client's Cyber Security Incident Response Plan.
Provide client auditors with access to security documentation, configurations of security-enforcing technologies, standards and procedures.
Collaborate with the client to plan and conduct annual PenTest and regular Disaster Recovery exercises.
Ensure GDPR/DPA 2018 obligations are met; oversee data retention, secure disposal, lawful processing, and Data Protection Impact Assessments where required.
3.4 Technical security controls
Define, document, agree and maintain Standard Operating Procedures for system administration and maintenance, with procedural controls per user role.
Ensure authorisation controls prevent extraction of information assets without legitimate need.
Ensure only client-issued devices are used to connect to the service in delivery.
Maintain a data back-up policy aligned to Business Impact Assessment and the client's retention policy.
Enforce removable-media scanning, network segregation, least-privilege access, location-based access controls, and unique user IDs.
Ensure all Supplier work on the service is conducted exclusively from within the UK from client-approved secure areas.
3.5 Communications and notification
Maintain regular communication with the client throughout the contract.
Promptly notify the client of any changes to directors, key security personnel, business ownership (including acquisitions) or physical operating locations.
Report any major security breaches within the Supplier's own ICT estate to the client.
4. Essential experience and skills
Substantial experience as an accountable security owner on a UK Central Government managed-service contract handling OFFICIAL-SENSITIVE data.
Deep working knowledge of NCSC HMG IAS5, NCSC Cyber Assessment Framework (CAF), Cyber Essentials Plus, ISO/IEC 27001, GDPR and DPA 2018.
Hands-on experience integrating with a UK Government SOC, including SIEM reporting, security use case design and incident response co-ordination.
Practical experience of Oracle Cloud security - OCI IAM, vault, network security, audit, PAM - and Oracle SaaS application security (HCM/ERP/EPM RBAC, segregation of duties, data masking).
Experience commissioning and overseeing PenTesting, vulnerability management, and Disaster Recovery exercises in a UK Government context.
Strong written communication for government-grade audit, assurance and governance reporting.
Comfortable as a named security accountable individual in formal governance and contractual reporting.
5. Essential clearance and eligibility
DV clearance and UK Nationality - contractually mandatory (PASS/FAIL). Pre-cleared candidates strongly preferred. Candidates without current DV may be considered only if SC-cleared with a credible DV application route through client sponsorship at the start of Transition.
Willing and able to work exclusively from within the UK.
Willing to attend client secure areas across the UK as required.
6. Desirable
CISSP, CISM, CCP (CESG Certified Professional) IA Architect/IA Auditor/SIRA, or equivalent senior security certifications.
Oracle Cloud Security certifications (OCI Security Professional, Oracle Cloud Identity & Security Architect).
Prior experience of an Oracle ERP-on-OCI security model at scale (HCM, ERP, EPM, VBCS, BI/Analytics).
Familiarity with UK Government security operating context, including overseas-network considerations, locally-engaged staff data, and HMG personnel security policy.
Experience supporting PCI-DSS compliance where payment card data is in scope.
7. Personal attributes
Authoritative without being abrasive - able to say 'no' to delivery pressure and explain why in business terms.
Detail-oriented on policy, controls and evidence; pragmatic on operational trade-offs.
Comfortable owning a named, individually-accountable role under public-sector contractual scrutiny.
Visible collaborator with client security counterparts, third-party vendors, and internal service leadership.  |
