Information Security & Secure Communication Officer

The Agency is an "outward-facing" organisation, constantly interacting with its shareholders, the participating Member States, as well as with a wide range of stakeholders. It works in an integrated way, with multi-disciplinary teams representing all of the Agency's functional areas, to realise its objectives. Its business processes are flexible and oriented towards achieving results. Staff at all levels need to demonstrate the corresponding qualities of commitment, flexibility, innovation, and team-working; to work effectively with shareholders and stakeholder groups, formal and informal; and to operate without the need for detailed direction.

3. THE CORPORATE SERVICES DIRECTORATE

The Corporate Services Directorate (CSD) provides critical business support to EDA operations by delivering high-quality corporate services under seven dedicated organizational elements, namely: Human Resources; Procurement and Contract Management; Finance; IT and Information Management, Security, Legal and Infrastructure. Additionally, the Record Manager is responsible for the effective management of information produced and/or received by the organisation.

CSD processes are geared towards efficient and optimal use of resources, leveraging good practice and technological solutions while ensuring sound financial management, transparency and accountability; outward focus and commitment to continuous improvement are the hallmarks of CSD.

4. DUTIES

Under the supervision of the Business Information Security Officer, the jobholder will be responsible for/contribute to the following activities:

A. Information Security Management System (ISMS)

• maintain EDA ISMS in accordance with EU applicable legislation (e.g. Regulation (EU) 2023/2841, EU GDPR, etc.) as it changes and evolves;
• perform gap analysis activities against Regulations and standards as needed and draft mitigation plans;
• assist in preparing compliance reports for internal and external stakeholders;
• draft, update, and maintain information security and cybersecurity policies, procedures, and operational plans;
• develop, implement and maintain processes to monitor compliance with security regulations and internal policies;
• assist in audits and assessments to evaluate adherence to security rules, regulations, standards and best practices;
• collaborate with stakeholders throughout EDA to design and implement improvement plans.

B. Cyber Risk Management

• assist in all the Cybersecurity Risk Management activities, including identification and mitigation of risks related to non-compliance with security requirements;
• maintain the Cybersecurity Risk Registry for classified and unclassified systems and services;
• support the development of cyber risk registers and contribute to the creation of mitigation strategies.

C. EUCI governance

• assist in the regular EDA EUCI Business Requirements update, review and analysis cycle;
• support EDA EUCI Communication and Information Systems (CIS) and Services and their formal security accreditation processes;
• support TEMPEST compliance activities in accordance with CD 2013/488 and relevant rules and regulations.

D. Business Continuity and Disaster Recovery

• assist in Business Continuity and Disaster Recovery processes and activities.

E. Other Information Security activities

• organize and provide training and guidance to staff, in close coordination with the Security Unit and IT Unit, on Information Security awareness, EUCI CIS handling, regulatory compliance requirements and best practices.

The jobholder may take on additional tasks as required in the interest of the service.

Duties may evolve according to the development of EDA's structure and activities, and the decisions of EDA management., EDA, whose staff are governed by its own Staff Regulations, offers specific conditions of employment with regards to contract duration and pension arrangements., EDA will not accept any phase of the selection & recruitment process prepared or assisted, in whole or in part, by means of generative artificial-intelligence (AI) tools, including and without limitation to chatbots, such as Chat Generative Pre-trained Transformer (Chat GPT), or other language generating tools. EDA reserves the right to screen applications to identify the use of such tools. All applications prepared, in whole or in part, by means of such generative or creative AI tools may be rejected without further consideration at EDA's sole discretion, and EDA reserves the right to take further steps in such cases as appropriate.

If recruited, candidates will be requested to supply documentary evidence in support of the statements made in their application. They should not send any supporting or supplementary information until asked to do so by the Agency. Candidates are advised that part of the recruitment process includes medical analyses and physical check-up with the Agency's Medical Adviser.

Staff members employed at EDA require a Personnel Security Clearance Certificate (PSCC). The process to obtain a PSCC can be initiated only by EDA on behalf of the staff member. Failure to obtain the requisite security clearance certificate before the expiration of the probationary period may be cause for termination of the contract.

11. DATA PROTECTION

Please note that EDA will not return applications to candidates. The personal information EDA requests from candidates will be processed in line with Regulation (EU) N° 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) 45/2001 and Decision No. 1247/2002/EC.

Do you have experience in Windows?, * be a national of a Member State participating in the Agency;

• be entitled to their full rights as citizens;
• have fulfilled any obligations imposed on their by the laws concerning military service;
• produce the appropriate character references as to their suitability for the performance of their duties (extract from the "judicial record" or certificate of good conduct will be requested prior to recruitment);
• be physically fit to perform their duties;
• have a thorough knowledge (minimum level C1 oral and written) of one of the languages of the participating Member States and a satisfactory knowledge (minimum level B2 oral and written) of another of these languages to the extent necessary to discharge their duties;
• have no personal interest (financial, family relationship, or other) which could be in conflict with disinterested discharge of their duties within the Agency;
• hold, or be in a position to obtain, a valid Personnel Security Clearance Certificate (national or EU PSC at SECRET UE/EU SECRET level). Personnel Security Clearance Certificate (PSCC) means a certificate issued by a competent authority establishing that an individual is security cleared and holds a valid national or EU PSC, and which shows the level of EUCI to which that individual may be granted access (SECRET UE/EU SECRET), the date of validity of the relevant PSC and the date of expiry of the certificate itself. Note that the necessary procedure for obtaining a PSCC can be initiated on request of the employer only, and not by the individual candidate;
• have a level of education which corresponds to completed university studies of at least three years attested by a diploma or be a graduate of a national or international Defence College.

Only diplomas that have been awarded in EU Member States or that are the subject of equivalence certificates issued by the authorities in the said Member States shall be taken into consideration. In the latter case, the authority authorised to conclude contracts of employment reserves the right to request proof of such equivalence., For native English speakers, your ability to communicate in another EU language will be tested during the selection process. To assess your foreign language levels, see: https://europa.eu/europass/en/common-european-framework-reference-language-skills, * a University degree (or equivalent academic degree) in computer science, IT, engineering, or related field;

• at least 3 years of professional experience (acquired after the award of the minimum qualification required as a condition of eligibility) in:

• implementing and maintaining Information Security Management Systems and standards (NIST CSF, ISO-27001, NIST-800-53) within EU/government organizations or the private sector;
• applying Risk Management Frameworks to manage cybersecurity risks in EU, Government or private sectors.

• solid knowledge of IT cloud infrastructures (e.g. Microsoft Azure);
• a basic understanding of on-premises Windows server and application technology stack;
• professional experience in drafting policies and delivering presentations to technical and non-technical audience;
• a very good command of written and spoken English., All staff must be able to fit into the Agency's way of working (see para. 2). Other attributes important for this post include:
• ability to collaborate within a team and work independently within their area of responsibility;
• ability to work effectively in a multinational environment;
• focus on results and high level of motivation;
• flexibility and innovation;
• confidentiality and integrity;
• strong conceptual, drafting, interpersonal, and analytical skills;
• genuine commitment to the Agency's objectives., * professional experience in, and good knowledge of EUCI CIS and related security accreditation processes;
• professional experience in, and good knowledge of TEMPEST technologies;
• hold a recognised information security certification such as ISO-27001 LA/LI, CISM, CISSP;
• experience in organising and managing meetings and workshops in EU Institutions/Agencies and/or international Organizations;
• data analysis skills to inspect, clean, transform, and model data to extract insights and support decision-making;
• hold a (recognised) Project Management qualification.

The pay for this position consists of a basic salary of 4.449,31€ supplemented with various allowances including, as applicable, expatriation or family allowances. Successful candidates are graded on entry into service according to the length of their professional experience. Salaries are exempted from national tax, instead an Agency tax is deducted at source.

PENSION ARRANGEMENTS SPECIFIC TO EDA

Prospective staff members considering a career at the European Defence Agency (EDA) should be aware that EDA has its own pension provisions and is not part of the EU institutions' pension scheme (PSEUI).

In addition, EDA staff have several flexible options regarding their pension contributions at the end of their contract, under certain conditions, such as:

• transfer to a public pension scheme;
• transfer to a private pension scheme;
• direct payment as a severance grant.

The European Defence Agency (EDA) was established on 12 July 2004, and is governed by Council Decision (CFSP) 2015/1835 defining the statute, seat and operational rules of the European Defence Agency. The Agency has its headquarters in Brussels. The main task of EDA is to support the Council and the Member States in their effort to improve the Union's defence capabilities in the field of crisis management and to sustain the Common Security and Defence Policy (CSDP) as it currently stands and as it develops in the future. The Agency is structured into four directorates. The Corporate Services Directorate (CSD) and three operational directorates: Industry, Synergies and Enablers (ISE); Capability, Armament & Planning (CAP); Research, Technology and Innovation (RTI)., For diplomas awarded in non-EU countries, a NARIC recognition is required: https://www.enic-naric.net