1 | P a g e www.copfs.gov.uk

COPFS Application Pack

Head of Cybersecurity and Resilience

2 | P a g e www.copfs.gov.uk

Contents

Introduction 3

Vacancy Information 4-8

Competencies 9-15

3 | P a g e www.copfs.gov.uk

Introduction

This pack is to guide you through the recruitment process for the role of Head of Cybersecurity and Resilience. It is vital that you read

this carefully as hints and tips are contained.

If you have any further questions or require the application pack in an alternative format, you can contact:

Email - Recruitment@copfs.gsi.gov.uk

Telephone – 0300 020 3218

For further information about COPFS please visit our website - http://www.copfs.gov.uk/about-us/about-us

4 | P a g e www.copfs.gov.uk

Vacancy Information

Job Title Head of Cybersecurity and Resilience

Function & Unit Business Services, Information Systems Division - Enterprise Solutions

Location Crown Office, 25 Chambers Street, Edinburgh, EH1 1LA

Grade Band F

Eligibility All candidates who meet the essential criteria are eligible to apply

No of Vacancies 1

Contract Terms Full time, Permanent

Salary: £48,692 - £55,542 per annum + £4,000 IT allowance + COPFS benefits package

The IT allowance is payable immediately to candidates possessing the necessary IT skills and experience.

Please note that any application for the post will be expected to meet the standard working requirements of the

vacancy unless approval has been sought by the applicant through the HR Resourcing Team in advance of

application.

Job Description:

Main Duties

Information Systems Division (ISD) delivers and supports an enterprise portfolio of efficient, resilient, innovative

and secure IT services to meet COPFS’ business needs. ISD will play a crucial role in implementing COPFS’ digital

strategy by developing sustainable digital and information solutions that modernise, innovate and transform the

delivery of user focused services and to improve the way our organisation works.

This post, part of a number of targeted posts being advertised to enhance ISD’s operational and strategic delivery

capabilities, offers an exciting opportunity to manage and lead the ISD Cybersecurity and Resilience team

responsible for providing secure IT infrastructure and enterprise digital services to COPFS’ internal and external

customers and stakeholders. Reporting directly to the Director of IT, the post-holder will have responsibility for

the successful delivery of threat and vulnerability management solutions, security controls and policies, technical

security risk assessments, IT security operating systems and for developing responsive and coordinated

cybersecurity incident management processes. The post-holder will also play an important part in providing

5 | P a g e www.copfs.gov.uk

expert technical security advice and knowledge to influence the design and operation of COPFS’ IT systems and to

put in place cross-ranging cyber resilience planning and processes.

The duties of the post will include:

Leading and developing a new and focused team providing professional IT cybersecurity and resilience

functions, services and expert advice.

Defining and developing IT security and information assurance policies and procedures, information sharing

agreements and supplier/vendor security working practices.

Maintain appropriate security measures and mechanisms to guard against unauthorised access to

electronically stored and/or transmitted secure information and protect against anticipated threats and

vulnerabilities.

Lead responsibility for the management and timely submission of COPFS’ PSN, PSNP and Cyber Essentials

Framework accreditations.

Writing and presenting RMADS to lead managers and to the Director of IT/Accreditor.

Providing effective leadership, relationship-building, interpersonal and stakeholder management skills to

engage effectively with wide ranging internal and external customers and stakeholders, government security

agencies/contacts and service suppliers.

Responsibility for assuring the technical design and configurations of COPFS’ enterprise IT infrastructure and

information systems operate securely and reflects industry best-practice and compliance standards.

Evangelist for IT cybersecurity and resilience planning and for ensuring COPFS’ policies, practices and IT

systems keep pace with latest cyber threat protection guidance and changing technology developments and

innovation.

Manage IT and cyber security related incidents and problems throughout their lifecycle and act as an

interface for executive management into operational security related matters.

Working in close partnership with COPFS’ Departmental Security Officer (DSO) to coordinate, manage and

deliver COPFS’ security policies and procedures and to provide key metrics and management reports on

security matters.

Member of COPFS’ IT Security Group and other relevant project boards and corporate committees.

Member of ISD’s senior leadership team, providing senior management functions and accountability for

delivering and developing ISD’s business activities.

Information about ISD provides wide ranging IT infrastructure, information systems and digital services to 1,600+ COPFS users

located in offices throughout Scotland and to external customers and stakeholders. ISD is involved in a number

6 | P a g e www.copfs.gov.uk

the Office/Unit/Team

of innovative and continuous improvement projects to support business needs and to deliver COPFS’ digital

strategy aims. Headed by the Director of IT, ISD is organised in four main groups: Enterprise Solutions;

Enterprise Technologies; Enterprise Applications; Cybersecurity and Resilience. ISD has around 50 permanent

team members plus additional contractor staff based in its offices in Edinburgh and Glasgow.

The post-holder, reporting directly to the Director of IT, will lead the ISD Cybersecurity and Resilience team. The

IT Security Officer (ITSO) will report to the post-holder.

Person Specification The efficient and secure processing, transmission and storage of information is core to COPFS’ business

operations. COPFS is also embarking on the implementation of a major digital strategy transformation

programme. This role is central in providing the technical skills, expertise and knowledge to continuously develop

COPFS’ cybersecurity systems, policies and resilience measures and to apply sustainable cyber security planning

that underpins the design and delivery of COPFS’ digital services to its customers and stakeholders.

All competencies, as indicated within the Competency Framework, are relevant to the role and illustrate the level

of competence expected of an employee in this grade. However for the purposes of assessment the following

competencies will apply:

Changing and Improving;

Making effective decisions;

Collaborating and Partnering;

Managing a quality service.

Please refer to the COPFS Competency Framework for full guidance.

The board may decide in advance of the interviews that they require further evidence to assess candidates for

specialist or senior positions in the Service. Further assessment may include presentation on a relevant topic at

interview, the submission of a piece of written work prior to the interview, or completion of an online/technical

assessment.

Candidates will be informed if further selection methods will be implemented.

Essential Criteria This Head of Cybersecurity and Reliance role will require the post-holder to provide expert and trusted strategic,

operational risk mitigation and technical advice, guidance and support on COPFS’ cyber security, both for its

operational IT systems and to contribute to ISD’s delivery of projects and implementation of the Digital Strategy.

They will be conversant with all facets of cyber security, including the formulation and implementation of policies,

7 | P a g e www.copfs.gov.uk

practices and monitoring of systems and be able to manage and drive security related projects and improvement

initiatives. They will understand the full extent of the integration of complex and integrated information systems

and applications technologies and how they must fit with the organisations enterprise IT infrastructure.

The essential criteria for this post are outlined below. Candidates will be required to fully demonstrate their

technical competencies at interview.

Proven track-record and broad experience in the management and delivery of compliant IT and

cybersecurity policies and protection solutions in a government or enterprise level organisation.

Experience of evaluation, certification and accreditation of IT and information systems to HMG or other

regulated security scheme requirements.

Demonstrable experience in reviewing and developing security policies, including Risk Management

Accreditation Document Set (RMADS) and other associated security accreditation and compliance

documentation.

Comprehensive technical understanding of a broad range of enterprise security technologies and

architecture, including but not exclusively, intrusion detection, anti-virus, firewalls, DMZ, secure

information architecture, patch management and encryption systems.

Proven track record in working closely with IT infrastructure and digital solutions architects to ensure that

security and accreditation design and operational aspects are adequately addressed.

Experience in overseeing and supporting IT health checks, including defining the scope, interpretation of

results and providing guidance on implementation of remedial actions.

Excellent communications and interpersonal skills, with proven experience of effective relationship-building

and ability to present and communicate written and verbal communications with internal and external

stakeholders and accreditors at all levels.

Desirable Criteria The desirable criteria is set out below:

Appropriate BCS information security management or other cyber security management related

qualifications such as CISSP, CISM, and ISO.

Experience of ISO 27001 information security management.

Experience of assessment and accreditation to the HMG PSN or PSNP schemes.

Detailed understanding of information security standards, good practice frameworks and other relevant

8 | P a g e www.copfs.gov.uk

documentation and guidance issued by CESG.

Experience of successfully managing and developing a team of IT professionals, contractors or external

suppliers.

Special conditions of

post

The post-holder will be based in our Crown Office at 25 Chambers Street, Edinburgh. The post-holder is,

however, required to work regularly from our Edinburgh and Glasgow offices and travel is therefore required for

business and meeting purposes, as is some occasional travel to other COPFS or stakeholder office locations.

There is an expectation that the successful candidate will, from time-to-time, consider working overtime during

weekday evenings and at weekends to meet business needs. This is not mandatory. As an ISD IT professional,

you will participate in the British Computer Society’s Professional Development Scheme.

The successful candidate will be subject to the appropriate UK national security vetting processes to obtain the

necessary security clearances required for this role in COPFS.

Other conditions of

post

Successful candidates will be expected to remain within their new post for a minimum of two years unless they

are successful in obtaining a post in a higher grade or moved to address a business need.

Additional

Information can be

obtained from

Keith Dargie

keith.dargie@copfs.gsi.gov.uk

0300 020 3613

Please return completed application forms to Recruitment@copfs.gsi.gov.uk no later than 5pm on the closing

date.

Job Advert Published 9th February 2018

Closing Date 23rd February 2018 at 5pm

9 | P a g e www.copfs.gov.uk

Competencies

Competency Framework for Recruitment & Selection

Selected Competencies – Head of Cybersecurity and Resilience

COPFS Competency Framework

The COPFS Competency Framework applies to all staff. The Competency Framework has been developed to recognise the general range

of skills and behaviours expected across all job roles within COPFS. It is based on the same competency framework used by nearly all

other Civil Service organisations. The COPFS Competency Framework is central in understanding how best to use the considerable

resources available in Civil Service Learning. This includes access to National Occupational Standards (NOS), recognised nationally in

industry and Government as indicators of how professionals should be performing. COPFS Learning & Development can provide advice

about management development in particular to a level 7 of the Chartered Management Institute standard.

Competencies: Recruitment and Selection

The Competency Framework enables COPFS to recruit and select staff by considering evidence on how an individual achieved an objective

or completed a task. It further allows selection based on specific past occurrences which can be indicators of future behaviours or

performance.

The Competency Framework should give all candidates an equal opportunity to describe their behaviours when working towards an

objective or performing a task.

All candidates should refer to the document “A Candidates Guide to Competency Based Selection” which is part of your recruitment pack

for a fuller explanation of Competency based selection. Office and Procurator Fiscal Service Com

Competency Levels

Competency levels determine the level that someone would be expected to demonstrate indicative behaviours in their day to day work

and interaction with others, these differ by grade. The levels go from level one up to level six. It would be assumed that someone

performing at level six would be aware of and routinely performing at levels one to five.

10 | P a g e www.copfs.gov.uk

COPFS Core Competency Levels

Co

mp

ete

ncy L

evels

by G

rad

e

Level 1

Band B

Level 2

Band C

Level 3

Band D

& E, PFD,

SPFD

Level 4

Band F,

PPFD & G

Level 5

SCS 1

&1A

Level 6

SCS 2 &

3

Leading and Communicating

1 2 3 4 5 6

Collaborating and Partnering

1 2 3 4 5 6

Managing a Quality

Service

1 2 3 4 5 6

Delivering at Pace 1 2 3 4 5 6

Making Effective Decisions

2 3 4 5 6

Building Capability for All 3 4 5 6

11 | P a g e www.copfs.gov.uk

Changing and Improving 3 4 5 6

Delivering Value for Money

5 6

Achieving Commercial

Outcomes

5 6

Seeing the Big Picture 5 6

For the purposes of this role, only

the behavioural indicators for the

competencies required have been

provided below (level 4)

12 | P a g e www.copfs.gov.uk

SETTING DIRECTION – Changing and Improving

Description People who are effective in this area are responsive, innovative and seek out opportunities to create effective change.

For all staff, it’s about being open to change, suggesting ideas for improvements to the way things are done, and

working in ‘smarter’, more focused ways. At senior levels, this is about creating and contributing to a culture of

innovation and allowing people to consider and take managed risks. Doing this well means continuously seeking out

ways to improve policy implementation and build a leaner, more flexible and responsive Civil Service. It also means

making use of alternative delivery models including digital and shared service approaches wherever possible

Effective Behaviour People who are effective are likely

to…

Ineffective Behaviour People who are less effective

are likely to…

Level Four Understand and identify the role of technology in

public service delivery and policy implementation

Encourage a culture of innovation focused on adding

value – give people space to think creatively

Effectively capture, utilise and share customer insight

and views from a diverse range of stakeholders to

ensure better policy and delivery

Spot warning signs of things going wrong and provide

a decisive response to significant delivery challenges

Provide constructive challenge to senior management

on change proposals which will affect own business

area

Consider the cumulative impact on own business area

of implementing change (culture, structure, service

and morale)

Ignore developments in technology that could

benefit public service delivery and policy

implementation

Take a narrow and risk averse approach to

proposed new approaches by not taking or

following up on ideas seriously

Fail to effectively capture, utilise and share

customer insight appropriately in the development

of policies and services

Remain wedded to the course that they have set

and unresponsive to the changing demands of the

situation

Spend limited time on engaging experts and

relevant individuals in developing and testing

proposals, failing to pass on relevant staff

feedback

Give limited time to acknowledging anxieties and

overcoming cynicism

13 | P a g e www.copfs.gov.uk

SETTING DIRECTION – Making Effective Decisions

Description Effectiveness in this area is about being objective; using sound judgement, evidence and knowledge to provide accurate,

expert and professional advice. For all staff, it means showing clarity of thought, setting priorities, analysing and using

evidence to evaluate options before arriving at well-reasoned justifiable decisions. At senior levels, leaders will be

creating evidence based strategies, evaluating options, impacts, risks and solutions. They will aim to maximise return

while minimising risk and balancing social, political, financial, economic and environmental considerations to provide

sustainable outcomes.

Effective Behaviour People who are effective are

likely to…

Ineffective Behaviour People who are less effective are

likely to…

Level Four

Push decision making to the right level within

their teams, not allow unnecessary bureaucracy

and structure to suppress innovation and delivery

Weigh up data from various sources, recognising

when to bring in experts/researchers to add to

available information

Analyse and evaluate pros and cons and identify

risks in order to make decisions that take account

of the wider context, including diversity and

sustainability

Draw together and present reasonable

conclusions from a wide range of incomplete and

complex evidence and data – able to act or decide

even when details are not clear

Identify the main issues in complex problems,

clarify understanding or stakeholder expectations,

to seek best option

Make difficult decisions by pragmatically weighing

the complexities involved against the need to act

Involve only those in their peer group or direct

reporting line in decision making

Underestimate the work required to consider all the

evidence needed and do not involve experts

sufficiently early

Take decisions without regard for the context,

organisation risk, alignment with wider agendas or

impacts (economic, social and environmental)

Get confused by complexity and ambiguity and

consider only simple or straightforward evidence

Rely too heavily on gut instinct and provide unclear,

incoherent or illogical analysis of core issues

Make expedient decisions that offer less resistance or

risk to themselves rather than decisions that are best

for the business

ENGAGING PEOPLE – Collaborating and Partnering

Description People skilled in this area create and maintain positive, professional and trusting working relationships with a wide range of

people within and outside the Civil Service to help get business done. At all levels, it requires working collaboratively,

sharing information and building supportive, responsive relationships with colleagues and stakeholders, whilst having the

14 | P a g e www.copfs.gov.uk

confidence to challenge assumptions. At senior levels, it’s about delivering business objectives through creating an inclusive

environment, encouraging collaboration and building effective partnerships including relationships with Ministers.

Effective Behaviour People who are effective are likely

to…

Ineffective Behaviour People who are less effective

are likely to…

Level Four Actively build and maintain a network of colleagues

and contacts to achieve progress on objectives and

shared interests

Demonstrate genuine care for staff and others – build

strong interpersonal relationships

Encourage contributions and involvement from a

broad and diverse range of staff by being visible and

accessible

Effectively manage team dynamics when working

across Departmental and other boundaries

Actively involve partners to deliver a business

outcome through collaboration that achieves better

results for citizens

Seek constructive outcomes in discussions, challenge

assumptions but remain willing to compromise when

it is beneficial to progress

Only seek to build contacts in immediate work group,

neglect to create a wider network beyond this

Neglect to maintain relationships during difficult

times

Operate within a narrow frame of reference and avoid

adopting a fuller perspective with associated

complexity

Be overly protective of own initiatives and miss

opportunities to network across boundaries

Struggle to manage, or actively ignore other parties’

agendas

Push forward initiatives on basis of personal agenda

or advantage and refuse to compromise; stay

wedded to one outcome

DELIVERING RESULTS – Managing a Quality Service

Description Effectiveness in this area is about being organised to deliver service objectives and striving to improve the quality of

service, taking account of diverse customer needs and requirements. People, who are effective plan, organise and manage

their time and activities to deliver a high quality and efficient service, applying programme and project management

approaches to support service delivery. At senior levels, it is about creating an environment to deliver operational

excellence and creating the most appropriate and cost effective delivery models for public services

Effective Behaviour People who are effective are

likely to…

Ineffective Behaviour People who are less effective

are likely to…

15 | P a g e www.copfs.gov.uk

Level Four Exemplify positive customer service behaviours and

promote a culture focused on ensuring customer

needs are met

Establish how the business area compares to

customer service expectations and industry best

practice and identify necessary improvements in

plans

Make clear, pragmatic and manageable plans for

service delivery using programme and project

management disciplines

Create regular opportunities for staff and customers

to help improve service quality and demonstrate a

visible involvement

Ensure the service offer thoroughly considers

customers’ needs and a broad range of available

methods to meet this, including new technology

where relevant

Ensure adherence to legal and regulatory

requirements in service delivery and build diversity

and equality considerations into plans

Take little action when customer needs are not being

met

Ignore external trends that impact on the business

area

Allow programmes or service delivery to lose

momentum and focus and have no contingencies in

place

Make changes to service delivery with minimal

involvement from others

Maintain a limited or out-dated view of how to

respond to customers’ needs

Disregard non–compliance with policies, rules and

legal requirements and allow unfair or discriminatory

practices