Title: Senior Information Risk Advisor The Programme and Project Partners (PPP) model was mobilised in 2019 with the purpose of transforming major project delivery at the Sellafield nuclear site. The partnership brings together KBR, Jacobs, Morgan Sindall Infrastructure, Altrad Babcock and Sellafield Ltd to deliver a 20-year pipeline of major infrastructure projects to support the decommissioning of Sellafield and to create a clean and safe environment for future generations. In delivering its pipeline of large-scale infrastructure projects, PPP is creating opportunities for its people, supply chain, economy and communities. KBR’s rapidly growing nuclear team of teams is working at the forefront of the UK’s nuclear space on some of the most exciting new-build, defence and decommissioning programmes. KBR was recently named a “Great Place to Work-Certified” company in 2023, an honour that underscores the company’s commitment to being a UK employer of choice for people who want to do work that matters. Due to the nature of our work and security requirements, KBR does not offer sponsorship. We can only consider applicants with the right to live and work in the United Kingdom We are an Equal Opportunities employer and strive to build a workforce that truly reflects the communities we represent. We welcome candidates from all backgrounds, regardless of age, disability, gender, gender identity, gender expression, race, religion or belief, sexual orientation, socioeconomic background, and any other protected characteristic. If you decide to apply for an opportunity with us, your application will be assessed based purely on your experience, the essential and desirable criteria, and your suitability for the role. LI-JI1 LI-HYBRID Project: PPP Digital Reports to: Head of IT / ITSO Location: Warrington / Cumbria, 2 / 3 days per week on site with travel to opposite site potentially once per month Qualifications, Experience and Skills Qualifications : Qualification or membership of a professional body in Information Security. Qualification as an NCSC Cyber Certified Practitioner (CCP) at SIRA level, or a former GCHQ CESG CLAS consultant Significant experience in applying Cyber Security Standards. Experience in applying technical information technology and information assurance controls to business information models Experience of working in a Regulated environment. Experience and Skills: Essential: A good understanding of Cyber Security threats and exploitation. A good understanding of ICT (both IT and OT) architecture. A good understanding of NCSC architectural approach. Ability to interpret business requirements and technical ICT documents into Cyber Security requirements. Good understanding and knowledge of ICT systems (software, hardware and networks) and applications both legacy and current. Good communication skills across all levels of the business and able to talk to non-specialists, specialists and senior stakeholders. Ability to work independently and unsupervised. Excellent problem solving skills. Methodical and logical approach. Self-motivated and can demonstrate high levels of resilience, honesty and integrity. Desirable: Ideally qualified at a minimum of degree level in an IT, Cyber Security, or associated technical or engineering studies. CISSP or equivalent. Experience of working with operational cyber security teams. Experience of working with Regulators/in a Regulated environment. Core Responsibilities and Duties General: The Senior Information Risk Adviser (SIRA) is an autonomous risk role to support the PPP ITSO and Head of IT with understanding the technology risks and propose mitigations to assist in establishing and maintaining an enduring cyber security and information assurance posture. The role’s primary function is to conduct formal risk assessments on the PPP IT environment that supports PPP business needs whilst satisfying SL and ONR/ICO Regulatory requirements. The role’s secondary function is to assist in developing the “secure by design” approach for the delivery of programmes and projects by PPP. The role has a broad scope spanning technical and process risk across the cyber security, information security and privacy space and will necessitate engagement with SL CS&IA (Cyber Operations, Assurance, Risk, Data Protection), SL ISO (Architecture, Service and Knowledge Management), SL Cyber Programme and PPP Partners. The output will include (but is not limited to) the production of formal risk assessments conducted to the standards acceptable to SL, including but not limited to HMG IS1, IRAM 2 or other ISO27005 assessments as agreed. The output will be used to determine the exposure to risks and likelihood of materialisation, required mitigations and support to PPP CS&IA planning necessary to support correctness of posture, satisfy Regulatory matters. In order to provide the outcomes above, it is envisaged that the SIRA role will be responsible for: Formal risk assessment of the PPP O365/Azure security configuration and other systems. Recommendations around mitigations necessary to minimise the materialisation of identified risks in line with the SL risk framework. Production of risk reports to support the PPP ITSO with the PPP CS&IA Plan. Represents PPP cyber risk exposure in any security related working groups within SL, Regulatory or internal PPP environs. Analysis of system configurations and in cognisance of NCSC guidance, determination of associated risk in relation to systems or solutions developed or implemented by PPP Partners for SL. Assists with input to the risk tracking of PPP related cyber risks and the management of a PPP Cyber and Information security/privacy risks by the PPP ITSO for the PPP ICT Manager. Formal determination of cyber and information security/privacy related risks and issues. Specific: Knowledge of Civil Nuclear Information security requirements and NCSC good practice. Understanding and knowledge of the strengths and weakness of modern ICT technology to identify vulnerabilities when assessing information systems architectures and designs. Knowledge and experience of network and systems management. Knowledge and use of security and privacy policy (including but not limited to ISO27001, ISO 27005, ISO22301, NISR 2013, NIST 800-53, EU GDPR and DPA 2018) Knowledge of Cyber Security models and frameworks (NIST PDRR, Mitre ATT&CK, ONR SyAPs). Thorough knowledge of Cyber Security risk methodologies including but not limited to HMG IS1, IRAM 2 and others such as NIST RMF (800-37)