Detailed job description and main responsibilities

To lead on Cyber Security for Alder Hey, working closely with MIAA and peers within Cheshire and Merseyside.

Develop Cyber Security policies and processes providing a significant level of assurance.

To be responsible for the leadership and effective management of the information security management for Alder Hey, ensuring the protection of all data held within the organisation

The post holder will ensure that processes related to the implementation and support for IT security is carried out in accordance with industry and NHS best practice.

The post holder will ensure the processes are documented and they are managed in order to effectively deliver the performance required within an IT security setting.

Main areas of responsibility

• Support Information Governance and Data protection functions for the Trust to achieve the highest standards of information security, emphasising data protection issues.
• Manage the Trust’s Electronic Information Asset Register to include auditing of all information systems, providing a significant level of assurance.
• Maintain, improve and disseminate knowledge of Data Protection relating to Information Security issues throughout the Trust.
• Provide evidence for the achievement of Information Governance Toolkit standards in relation to Data Protection, Confidentiality, Information Security and NCSC which informs the ‘Standards for Better Health’
• Responsible for the ongoing management of security alerts and vulnerabilities in line with NHS CareCert toolkit and NHS Digital good practice guidelines
• To have an in-depth understanding, and adhere to all IM&T and Trust polices.
• To ensure robust systems are in place for monitoring data protection and information security incidents.
• To take a lead on Cyber Security and represent the Trust in Cheshire and Merseyside leadership forums
• Provide expert advice to the Trust on Cyber security.
• Act as the subject matter expert in all matters relating to Information Security for Alder Hey, working with departmental representatives to achieve and maintain the Information Security Framework.
• Conduct Information Security risk assessments on sometimes highly intricate business decisions and systems.
• The post holder will have a broad understanding of IM&T technologies and specialist knowledge in a number of key technologies such as firewalls, email filters, anti-virus and intrusion detection
• To develop information security plans that will feed into the wider Trust and IM&T strategies.
• Responsible for the formulation and development of information security plans and strategies to enable the successful completion and implementation of new systems.
• Design, and maintain Alder Hey Information Security Framework, Policies, Procedures and Standards based upon the requirements of the law, DSPT Toolkit, NHS and industry best practice (e.g. ISO/IEC 27000 series standards.).
• Perform full audits on all new information systems prior to installation. Research and recommend alternative technical solutions where risks are present.
• Develop information security strategies, roadmaps, business cases and remediation plans.
• As technology develops the post holder will need to regularly investigate developments assessing them for any potential security risks.
• Create and maintain specialist Cyber Security Awareness training for use by the Trust.
• Undertake Privacy Impact Assessment (PIA) process to assess the privacy and data protection impact of new projects and/or third party services.
• Co-ordinate the necessary response and resolution activities following a suspected or actual security incident or breach. Keeping the information risk lead (SIRO) and information asset owners (IAO’s) informed of security incidents, impacts and causes, resulting actions and learning outcomes.
• Ensure that all work undertaken for Alder Hey, in-house or by Third Parties, adheres to the established Security standards.
• Provide regular assurance reports to the Senior Information Risk Owner and Information Governance lead on all information security matters as part of evidence for the IG Toolkit.
• Investigate information security incidents, where required, or provide subject matter expertise on Information security incidents investigations.
• Co-ordinate and manage the implementation of security controls to a sufficient quality required to achieve compliance with relevant information security standards (e.g. DSPT Toolkit, ISO 27001 / 2002) as well as wider industry best practice.
• Manage and commission annual penetration tests for the Trust Providing management responses for testing reports.
• Design, develop and maintain Business Continuity plans and carryout desktop exercises to prove the efficiency and accuracy of the plan.
• Test and provide assurance reports on disaster recovery plans for the IT infrastructure.
• Provide assistance in developing responses to Freedom of Information requests.
• To develop Information Governance / DSPT Toolkit Action plans for the Trust. This involves the assessment of Trust systems, processes and policies against the toolkit standards, and liaison with staff.
• To ensure Information Governance /DSPT toolkits are populated with supporting evidence in order to demonstrate agreed achievement of specific standards.
• Provide assessment of information processes to maintain the Trusts annual Data Protection
• To ensure that all information security incidents are recorded, and where necessary; to liaise with the Risk Manager and IG Manager within the Trust.
• Investigate IT security incidents as required, this may involve audit trails, manually checking individual accounts, interviews, producing system reports regarding activity. Formally track evidence in chain of custody.
• To regularly report on information security incidents to Trusts Information Governance Groups.
• To compose and ensure that Information Governance Policies in relation to information security are implemented, enforced and monitored and ensure all Trusts embraces a culture of confidentiality.
• To plan and implement a system of full data protection audit within Trusts. This will involve liaison with staff within Trust and assessing systems and processes against regulations.
• To report on the results of the data protection audit making recommendations for improvements. This will involve liaison with senior staff within Trusts.
• Ensure that data protection and information security training for each Trust is up-to-date, and incorporates current Trust policies and practices.
• Ensure that data protection and information security training is monitored for quality and understanding. This is usually achieved by post training questionnaires and interviews.
• To keep abreast of IT Security developments and ensure the Trust is adhering to national cyber security initiatives and maintain awareness of cyber threat trends.
• Through a matrix management approach, ensure all staff with the IT Operations function are leading on developments to support MIAA recommendations and are managing CareCerts alerts.