Job Description 1 Vulnerability Management Lead Job Description Name of Client Organisation: CDDO Team Name: Domains Team - Securing Government Services Client Contract Managers: Contingent Workforce Programme Office Contract ID No: C712 Contract Length: Until 28/03/2025 Contract Type: Temporary Who we are: The Central Digital and Data Office leads the digital, data and technology (DDaT) function for the government. We put the right conditions in place to achieve digital, data and technology transformation at scale by working with departments, and other government functions like commercial, project delivery and security professionals. CDDO is responsible for: Digital, Data and Technology Strategy and Standards Cross-government DDaT performance and assurance, including Spend Controls DDaT Capability Development, including the DDaT pay framework Providing guidance to help secure government services The Domains Team protects public sector domain name spaces such as “ .gov.uk ”, and ensures that they remain stable, trusted, well managed and resistant to compromise. The team also helps protect the infrastructure tools and services associated with these domains. You can read more about these missions and our vision for the transformation of government in our 2021-2024 strategy. What you ’ ll do: As a Vulnerability Management Lead for the Domains Team you will: Broaden the capability of the Domains Team. Currently the team has expertise around domains-related vulnerabilities. The Vulnerability Management Lead will develop this expertise such that the Team can help stakeholders deal with vulnerabilities found in the infrastructure, tools and services that Public Sector bodies commonly use in the development and delivery of their own digital services. Enable the Domains Operations Team to quickly classify and triage vulnerabilities at scale, according to priority Help Public Sector bodies understand, assess and act on the vulnerability information they receive Help Public Sector bodies plan and prioritise how vulnerabilities are addressed to meet organisational objectives, using a risk-based approach Help Public Sector bodies improve their vulnerability management life cycle Proactively identify and leverage threat intelligence sources to inform strategic vulnerability mitigation measures Help create a knowledgebase of written guidance to help stakeholders manage, prioritise and fix their vulnerabilities Develop and maintain good working relationships with stakeholders across the Public Sector to accelerate the reduction of risk through the fixing of vulnerabilities. Identify improvements to be made, specifically, and generally, identifying common problems and solutions across multiple organisations Work with the Domains Team to design and deliver effective services that meet user needs and are measurable through meaningful KPIs Work closely with the Government Cyber Coordination Centre (GC3), the UKs government ’ s focal point for cross government collaboration on operational cyber security. Work with the product owner to improve the quality of the data we share with public sector bodies Identify gaps in our monitoring capability - to improve what we can provide organisations Who you are: We are interested in people who have: Expert knowledge of the security advantages and vulnerabilities of commodity products and technologies. Good working knowledge of current cyber security threats, risks. Experience in performing risk assessments, including business impact assessment, threat assessments and vulnerability (control gaps) assessments. Experience in developing security advice guidelines and specific mitigation advice, aligning these with business risk in a proportionate way. Extensive experience in specifying and deploying security technical controls and developing design patterns based on solid understanding of security design principles. Good working knowledge of the marketplace of cyber security products and services Good working knowledge of cloud computing architecture and related technologies. Ability to interact with a broad cross-section of personnel to explain and encourage the implementation of security measures Indicative professional qualifications / accreditations: Relevant industry qualifications and accreditations e.g. Certified Cyber Professional (CCP), Certified Information Systems Security Professional (CISSP), ISO27001 Lead Implementer Civil Service Competencies In the Civil Service, we use our Success Profiles. This gives us the best possible chance of finding the right person for the job, drives up performance and improves diversity and inclusivity. For this role, the following competencies are the most relevant: Leadership: Show pride and passion for public service. Create and engage others in delivering a shared vision. Value difference, diversity and inclusion, ensuring fairness and opportunity for all. Seeing the Big Picture: Understand how your role fits with and supports organisational objectives. Recognise the wider Civil Service priorities and ensure work is in the national interest. Making Effective Decisions: Use evidence and knowledge to support accurate, expert decisions and advice. Carefully consider alternative options, implications and risks of decisions. Working Together: Form effective partnerships and relationships with people both internally and externally, from a range of diverse backgrounds, sharing information, resources and support. How your contract will work: Your Employment Status: As this is a temporary role you will be classified as a contingent worker or simply ‘ worker ’. Find out more about employment status and what it means. Our Partner Suppliers: You will be onboarded and paid via one of our partner service suppliers who will act as an intermediary between yourself and us. Our partner suppliers provide recruitment, onboarding and payroll services. You will be able to choose from a list of approved umbrella companies provided by the supplier and will select one based on different packages and benefits offered to you. Your Pay: Initially the pay rate will be disclosed when you apply for the role or when you are contacted by the GDS Contracting Team and/or our partners about the opportunity. Your pay rate will also be set out in the offer letter and on the work order should you be offered the role. You will submit timesheets that will be paid in line with our partners ’ payroll terms. Usually this means that you will be paid 30 days from the date of first timesheet approval, but it can be sooner depending on the supplier and umbrella company. IR35 Status: Your contract is in scope, which means the off payroll working rules apply. Unsure about IR35? Find out what it means. Framework: As a Government department we will engage you and any suppliers via a Crown Commercial Service approved framework for contracting. On this occasion we will be engaging you via: Non Clinical Staff - RM6277 Acceptance: Your acceptance of the role is confirmed via a signed offer letter and via the contract that will be issued to you by the supplier. Call-off Incorporated Terms: The Call-Off Contract, Core Terms and Joint Schedules ’ for this Framework Contract are available on the Crown Commercial Service (CCS) website. Full call-off terms and conditions can be found at https://www.crowncommercial.gov.uk/agreements/RM6277 Our Notice Period (Client): 0 days Your Notice Period (Contingent Worker): 0 days This document has been generated at the Government Digital Service by the GDS Contracting Team. All information, rights, obligations and terms set out in this document fully correspond with the contract issued by © Alexander Mann Solutions Limited for the supply of services via the Public Sect or Resourcing framework - RM3749 and/or call-off terms for all suppliers on the Non Clinical Temporary and Fixed Term Staff Framework - RM6160.