Job summary
Guy's & St. Thomas' NHS Foundation Trust operates within the complex Health and Care ecosystem, which brings many challenges in managing the complex and diverse demands and interests of patients, users, partners, suppliers, industry and regulatory bodies.
This role will be primarily responsible for supporting the Trust in improving the Trust's cyber security posture and reducing the risk of impact from a cyber security incident. Ultimately, this role's aim is to help the Trust to protect the data and services that our patients depend on.
The specific responsibilities of the role will include ensuring that appropriate cyber security risk controls are embedded within Trust services and systems, and that patient services and systems can be safely and securely operated in alignment with Trust policy and standards.
The Information Security Analyst will need to form a large number of relationships across the Trust, including with DT&I colleagues, clinical Strategic Business Units, key IT suppliers and Internal Audit, and will contribute to explaining the security-preparedness and cyber riskenvironment to Trust management and to key stakeholders.
Main duties of the job
The Information Security Analyst is accountable for helping to ensure that Guy's and St. Thomas' NHS Foundation Trust can protect patient data and services from cyber risk, and can meet national NHS standards for cyber security, specifically in relation to the managementof cyber security risks to Trust data and Trust systems.
Reporting to the Cyber Security Risk Manager, the Information Security Analyst will be responsible for helping to ensure that cyber risk and assurance controls are effectively embedded within Trust services and systems, and that appropriate security risk control documentation is produced to evidence compliance with Trust policy and risk standards.This will include responsibility for advising, assessing and reporting on Trust information security risks and assurance actions required to improve the Trust's cyber risk posture and to empower the Trust to deliver excellent standards of patient care.
The post holder will work closely with internal business units, DT&I colleagues, key IT systems suppliers, Internal Audit, and the NHS Digital Data Security Centre.
The work will be mainly based in the Trust's locations in central London with some travel to partner Trusts and supplier sites as necessary.
About us
Guy's & St Thomas' (GSTT) is one of the largest hospital trusts in the country. Our hospitals have a long and proud history, dating back almost 900 years, and have been at the forefront of medical progress and innovation since they were founded. We continue to build on these traditions and have a reputation for clinical, teaching and research excellence. Royal Brompton and Harefield hospitals became part of Guy's and St Thomas' in February 2021, bringing together world-leading expertise and research in heart and lung disease.
DT&I has a mandate to deliver a very broad and complex set of new patient-centric digital services and capabilities over the coming years to support the transformation of health and care. Whilst building and delivering new services and products, it is imperative that these, and our existing services and products, are maintained at the highest level of stability, performance and security.
Job description
Job responsibilities
Assist with ensuring the protection and assurance of patient data and services against cyber security risk, while enabling secure delivery of new patient services andsystems. Assist with ensuring that cyber risk and assurance controls are effectively embedded within Trust services and systems, and that appropriate security risk control documentation is produced to evidence compliance with Trust policy and risk standards. Assist with qualification of cyber risk to Trust systems and data, and assist with determination of suitable risk controls to mitigate identified risks. Monitor, assess and qualify key elements of cyber threat warnings and alerts (including those received from NHS Digital CareCERT) and assist with prioritisation and determination of remediation, working in collaboration with the Trusts cyber operational team and with wider Trust colleagues. Contribute to the delivery of a schedule of security vulnerability and compliance tests for Trust systems and the remediation of identified vulnerabilities. Assist with management of major cyber incidents and investigations. Assist with production of Cyber Risk reports and Cyber KPI reports, to help qualify and drive action to improve the Trusts cyber risk posture. Provide guidance and advice to the Trust on cyber security risk management. Assist with ensuring compliance with Trust information security policy at key assurance boards, including Software Review Board and Change Approvals Board. Assist with the delivery of key elements of the Trust strategic cyber improvement programme, including engagement with NHS Digital and other key partners to drive improvements to cyber capability and maturity. Assist with gathering evidence in support of the Trusts formal compliance statement against the NHS Digital Data Security & Protection Toolkit. Assist with developing and driving adoption of the Trust cyber security risk and assurance framework. Assist with the Trust response to major cyber incidents, and on preparatory work for major incidents, including cyber resilience planning and rehearsals. Assess and report on key elements of cyber security risk posture and compliancethrough collection and analysis of relevant cyber security metrics and KPIs. Contribute to ensuring that the Trust can meet the requirements of national cyber security standards and legislation, including the Data Security & Protection Toolkit,Cyber Essentials Plus, the Data Protection Act (2018) / GDPR and the Directive on the security of Network and Information Systems. Assist with audit of Trust systems and processes to identify gaps or weaknesses in current policy and practice. Support Trust cyber initiatives through contributing to briefings and reports on cyber risk posture, action planning, and compliance with required standards. Assist with provision of colleague education and awareness on cyber threat and how to safely respond to cyber incidents. Contribute to development of security risk management skills and understanding within the Information Security Team and within the wider Trust.
Job description
Job responsibilities
Assist with ensuring the protection and assurance of patient data and services against cyber security risk, while enabling secure delivery of new patient services andsystems. Assist with ensuring that cyber risk and assurance controls are effectively embedded within Trust services and systems, and that appropriate security risk control documentation is produced to evidence compliance with Trust policy and risk standards. Assist with qualification of cyber risk to Trust systems and data, and assist with determination of suitable risk controls to mitigate identified risks. Monitor, assess and qualify key elements of cyber threat warnings and alerts (including those received from NHS Digital CareCERT) and assist with prioritisation and determination of remediation, working in collaboration with the Trusts cyber operational team and with wider Trust colleagues. Contribute to the delivery of a schedule of security vulnerability and compliance tests for Trust systems and the remediation of identified vulnerabilities. Assist with management of major cyber incidents and investigations. Assist with production of Cyber Risk reports and Cyber KPI reports, to help qualify and drive action to improve the Trusts cyber risk posture. Provide guidance and advice to the Trust on cyber security risk management. Assist with ensuring compliance with Trust information security policy at key assurance boards, including Software Review Board and Change Approvals Board. Assist with the delivery of key elements of the Trust strategic cyber improvement programme, including engagement with NHS Digital and other key partners to drive improvements to cyber capability and maturity. Assist with gathering evidence in support of the Trusts formal compliance statement against the NHS Digital Data Security & Protection Toolkit. Assist with developing and driving adoption of the Trust cyber security risk and assurance framework. Assist with the Trust response to major cyber incidents, and on preparatory work for major incidents, including cyber resilience planning and rehearsals. Assess and report on key elements of cyber security risk posture and compliancethrough collection and analysis of relevant cyber security metrics and KPIs. Contribute to ensuring that the Trust can meet the requirements of national cyber security standards and legislation, including the Data Security & Protection Toolkit,Cyber Essentials Plus, the Data Protection Act (2018) / GDPR and the Directive on the security of Network and Information Systems. Assist with audit of Trust systems and processes to identify gaps or weaknesses in current policy and practice. Support Trust cyber initiatives through contributing to briefings and reports on cyber risk posture, action planning, and compliance with required standards. Assist with provision of colleague education and awareness on cyber threat and how to safely respond to cyber incidents. Contribute to development of security risk management skills and understanding within the Information Security Team and within the wider Trust.
Person Specification
Qualifications and Knowledge
Desirable
- Educated to Degree level, or equivalent experience, in Computer Science or a related science discipline;
- Evidence of continuing professional development;
- Subject matter expert in cyber security risk management.
Previous Experience
Desirable
- At least five years' experience of working within large, complex, and diverse technical organisations in a cyber security role;
- Experience of working within enterprise-scale cyber security strategies, services and teams;
- Experience of working within complex transformation programmes in partnership with business and IT teams.
Skills and Abilities
Essential
- Ability to make pragmatic risk management decisions balanced appropriately between protection, usability, performance and cost.
- Ability to analyse complex problems and to develop practical and workable solutions to address them;
- Ability to engage and build coalitions across diverse stakeholder groups within complex, enterprise scale environments;
- High level of analytical skills and the ability to draw qualitive and quantitative data from a wide range of sources and present in a clear and concise manner;
- Demonstrates sound judgment in the absence of clear guidelines or precedent, seeking advice as necessary
Desirable
- Ability to demonstrate leadership and vision in a changing environment;
- Strong leadership and engagement skills to create high performing, customer-focussed teams in the context of changing requirements and ambiguity;
Setting Direction
Essential
- Sound leadership and influencing skills with the ability to enthuse, motivate and involve individuals and teams;
- Ability to be intellectually flexible and to look beyond existing structures, ways of working, boundaries and organisations to produce more effective and innovative service delivery and partnerships;
- Sound judgement and astuteness in understanding and working with complex policy and diverse interest groups, and common sense in knowing when to brief "up the line"
- A commitment to continuous improvement in cyber security standards.
Personal Qualities
Essential
- Ability to balance and manage multiple conflicting demands, calmly and confidently;
- Personal resilience, determination and ability to deliver positive outcomes on challenging issues.
- Excellent inter-personal and communications skills, with a track record in writing complex business cases and policies;
- Strong sense of commitment to openness, honesty and integrity in undertaking the role.
- Flexibility and the ability to handle a rapidly changing and ambiguous environment
- Ability to thrive in an often-ambiguous environment
Person Specification
Qualifications and Knowledge
Desirable
- Educated to Degree level, or equivalent experience, in Computer Science or a related science discipline;
- Evidence of continuing professional development;
- Subject matter expert in cyber security risk management.
Previous Experience
Desirable
- At least five years' experience of working within large, complex, and diverse technical organisations in a cyber security role;
- Experience of working within enterprise-scale cyber security strategies, services and teams;
- Experience of working within complex transformation programmes in partnership with business and IT teams.
Skills and Abilities
Essential
- Ability to make pragmatic risk management decisions balanced appropriately between protection, usability, performance and cost.
- Ability to analyse complex problems and to develop practical and workable solutions to address them;
- Ability to engage and build coalitions across diverse stakeholder groups within complex, enterprise scale environments;
- High level of analytical skills and the ability to draw qualitive and quantitative data from a wide range of sources and present in a clear and concise manner;
- Demonstrates sound judgment in the absence of clear guidelines or precedent, seeking advice as necessary
Desirable
- Ability to demonstrate leadership and vision in a changing environment;
- Strong leadership and engagement skills to create high performing, customer-focussed teams in the context of changing requirements and ambiguity;
Setting Direction
Essential
- Sound leadership and influencing skills with the ability to enthuse, motivate and involve individuals and teams;
- Ability to be intellectually flexible and to look beyond existing structures, ways of working, boundaries and organisations to produce more effective and innovative service delivery and partnerships;
- Sound judgement and astuteness in understanding and working with complex policy and diverse interest groups, and common sense in knowing when to brief "up the line"
- A commitment to continuous improvement in cyber security standards.
Personal Qualities
Essential
- Ability to balance and manage multiple conflicting demands, calmly and confidently;
- Personal resilience, determination and ability to deliver positive outcomes on challenging issues.
- Excellent inter-personal and communications skills, with a track record in writing complex business cases and policies;
- Strong sense of commitment to openness, honesty and integrity in undertaking the role.
- Flexibility and the ability to handle a rapidly changing and ambiguous environment
- Ability to thrive in an often-ambiguous environment
Disclosure and Barring Service Check
This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.
Applications from job seekers who require current Skilled worker sponsorship to work in the UK are welcome and will be considered alongside all other applications. For further information visit the UK Visas and Immigration website (Opens in a new tab).
From 6 April 2017, skilled worker applicants, applying for entry clearance into the UK, have had to present a criminal record certificate from each country they have resided continuously or cumulatively for 12 months or more in the past 10 years. Adult dependants (over 18 years old) are also subject to this requirement. Guidance can be found here Criminal records checks for overseas applicants (Opens in a new tab).
Additional information
Disclosure and Barring Service Check
This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.
Applications from job seekers who require current Skilled worker sponsorship to work in the UK are welcome and will be considered alongside all other applications. For further information visit the UK Visas and Immigration website (Opens in a new tab).
From 6 April 2017, skilled worker applicants, applying for entry clearance into the UK, have had to present a criminal record certificate from each country they have resided continuously or cumulatively for 12 months or more in the past 10 years. Adult dependants (over 18 years old) are also subject to this requirement. Guidance can be found here Criminal records checks for overseas applicants (Opens in a new tab).
