JOB DESCRIPTION REPORTS TO: Compliance Lead RESPONSIBLE FOR: The Compliance Manager will be responsible for managing compliance with EA ICT Assurance and other applicable cyber and information security policies and standards (e.g. those issued by the NCSC). The Compliance Manager will also be responsible for monitoring compliance for software licensing and for engaging with wider organisational and external compliance functions as necessary. The compliance manager will be responsible for engaging with the IT Security Officers to review the implementation of security policy and with the Network and Infrastructure teams in developing a means to monitor and measure compliance with policy for technical and procedural security controls. The Compliance Manager will be responsible for managing and leading the ICT Assurance compliance team. The Compliance Manager will be required to liaise with the Head of Services ICT Assurance on compliance issues to ensure consistency across EA service areas. JOB PURPOSE • To implement information security compliance activities for EA, ensuring compliance with relevant cyber and information security policies, standards and guidance. • To operationally manage cyber incident response for the organisation, co-ordinating external and internal resources in responding to suspected security breaches and leading the subsequent root cause analysis and lessons learned reviews. • To ensure that the confidentiality, integrity and availability of EA’s assets, information, data and IT services supports the organisation to achieve the corporate objectives. • To protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of confidentiality, integrity and availability. • The objectives of the post will be met when: - Information is observed by or disclosed to only those who have the right to know (confidentiality) - Information is complete, accurate and protected against unauthorised modification (integrity) - Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability) - Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted (authenticity and non-repudiation) Leadership and management responsibilities The Compliance Manager has the following leadership responsibilities for this portfolio of services: Setting Vision and Strategy • Work with the ICT Assurance Compliance Lead to establish, maintain and communicate a clear and compelling strategic direction for information security across EA. • Contribute to the development of a strategic plan for cyber security and lead on the development of an ICT Assurance business plan. • Translate the corporate vision into ICT Assurance specific initiatives. • Lead the creation and ongoing transformation of the service, and all related processes and procedures. • Contribute to the development and implementation of new governance including policies, compliance frameworks and processes in line with strategic direction and other public sector/cyber security organisations. • Contribute to the design and implementation of supplier assurance services in respect of the scope of services being implemented by EA projects and 3rd party suppliers. • Challenge conventional approaches, harness new approaches and technology and maximise efficiencies. Managing the Organisation to Deliver • Manage service delivery effectively to ensure that the section achieves the highest possible standards of performance and focuses on the needs of internal and external customers. • Agree service performance targets with the ICT Assurance Compliance Lead and other EA Head of Services and provide regular progress reports at SMT/ Directorate level and occasional reports to Board level. • Agree and implement a robust annual operational plan for the service including relevant cyber security compliance policies and procedures. • Delegate responsibilities and deploy staff according to their skills and abilities to meet the needs of the section. • Regularly engage with the Compliance Lead to monitor and review plans and make adjustments as required. • Manage and continuously improve the section to ensure delivery against performance targets, and to ensure that best value for money is achieved. • Ensure that the service contributes to overall Directorate and Corporate performance as appropriate and provide update reports as required. • Ensure that the ICT Assurance Compliance Lead receives high quality service-specific advice. • Apply resources effectively across the section to maximise the delivery of front-line services. • Ensure compliance with relevant legal, regulatory and statutory performance requirements. • Assist the Compliance Lead to ensure that ICT Assurance compliance service budgets are managed in accordance with all relevant financial policy and procedures. • Contribute effectively to quality and performance management systems and ensure that the section is being managed as per the requirements of these systems. • Assist the Compliance Lead to investigate all complaints and adverse incidents where outcomes are below expected standards. • Establish effective and rigorous quality assurance systems to maintain high standards. Leadership • Work closely with the Head of ICT Assurance and the Compliance Lead to provide the section with leadership and direction ensuring that corporate, directorate and service performance standards are achieved. • Promote the ethos and values of the authority and ensure that the section is focused on customer needs. • Foster a culture that supports achievement of the authority’s Strategic Plan by role modelling core values and leadership behaviours to staff in the section. • Lead/manage and communicate change and improvement initiatives within the section. • Lead, manage and develop staff within the section. • Educate Education Authority staff on cyber security risks, compliance and supplier assurance strategies. • Encourage staff involvement and engagement in the strategic development and operational delivery of the section. • Actively encourage teamwork and self-development, and create opportunities to maximise individuals’ potential, stimulate innovation and connection at all levels with front line services. • Promote a positive culture of performance management within the section through individual and small-team accountability. Foster a culture of constructive feedback and learning, and a genuine commitment to regular and effective appraisals. • Prepare and deliver reports on behalf of the ICT Assurance Compliance Lead as required. Building Relationships and Working with Others • Build and maintain effective, professional and respectful stakeholder relationships. • Ensure efficient and effective internal communication with staff in the section. • Work closely with partner organisations, the ICT Assurance Compliance Lead and colleagues to benchmark services and lead/manage and monitor change. • Build and maintain effective working relationships and clear lines of communication with the ICT Assurance Compliance Lead and the Head of ICT Assurance, other Heads of Service within the Directorate and in other Directorates and the ICT Senior Management Team. • Develop and maintain clear lines of communication and effective working partnerships with relevant external stakeholders and service user groups. • Work with the Compliance Lead to manage engagement with staff, schools and the public on major changes in the service that may affect them. • Work with external agencies; for example, education sector partner organisations, to identify opportunities for joint working that might bring greater consistency across the sector, and/or improve efficiency and effectiveness of service delivery. Section-specific responsibilities The following list provides an outline of the key responsibilities. It does not, however, represent a comprehensive list of tasks. Control • Support the Compliance Lead to establish a compliance management framework to monitor and manage information security controls within EA. • Support the Compliance Lead to establish an operational team to approve and implement the information security policy for EA information systems. • Support the Compliance Led to develop governance and an operational team for monitoring indicators of compromise and responding to information security incidents. • Establish and control compliance with information security auditing, monitoring, and evaluation against policy, standards and guidance. • Establish an effective supplier assurance capability, incorporating a governance framework that fits with other relevant corporate governance capabilities to manage 3rd party information security risk. Plan • Devise and recommend appropriate mechanisms for measuring security compliance, based on an understanding of the requirements of the organisation. • Gather requirements from such sources as business and service risk, plans and strategies, service and operational level agreements, and legal, moral and ethical responsibilities for information security. • Consider factors such as the amount of funding available and the prevailing organisational culture and attitudes to security. • Upkeep of the information security policy as an organisation wide document, not just applicable to ICT. • Develop a threat and risk assessment to inform the development of security requirements. • Develop cyber incident monitoring and response plans and engage with other emergency planning functions to ensure plan integration. • Develop compliance and cyber incident monitoring plans. Implement • Ensure that appropriate procedures, tools and controls are in place including security policies, incident management and disaster recovery. • Determination of a clear and agreed compliance framework, integrated with the needs of the business. • Establish security compliance and incident management procedures that are justified, appropriate and supported by senior management. • Provide effective marketing and education in security compliance risks and requirements. • Evaluate supplier security control frameworks and measures, through robust supplier assurance assessments and audits. • Evaluate operational information security implementation risk. • Develop IT compliance and incident management assessment plans and scopes for new systems and services. • Promote security awareness by developing and implementing a security awareness and training programme. • Establish a mechanism for measuring and managing compliance and incident management improvement.