Senior Information Security and Risk Management

**Background**:
The OSCE has a comprehensive approach to security that encompasses politico-military, economic and environmental, and human aspects. It therefore addresses a wide range of security-related concerns, including arms control, confidence
- and security-building measures, human rights, combating human trafficking, national minorities, democratization, policing strategies, counter-terrorism and economic and environmental activities. All 57 participating States enjoy equal status, and decisions are taken by consensus on a politically, but not legally binding basis.

The OSCE Secretariat in Vienna assists the Chairmanship in its activities, and provides operational and administrative support to the field operations, and, as appropriate, to other institutions.

The Department of Management and Finance (DMF) is responsible for managing the material and financial resources of the Organization. The objective of DMF is to provide efficient and effective management of non-staff resources in support of OSCE programmatic activities. It provides policy guidance on the management of OSCE financial and material resources and develops and maintains OSCE Financial Regulations and Rules and Financial Administrative Instructions. DMF consists of Budget and Finance Services, General Services Section, Information and Communication Technology Section and the Information Security and Co-ordination Unit.

The Information Security and Co-ordination (ISC) Unit assists the Secretary General in her role as Chief Administrative Officer of the OSCE, to ensure efficient use of the Organization's financial and material resources. Specifically, ISC formulates and monitors an integrated control framework for the Organization through a formal risk assessment and mitigation process, supported by a comprehensive Common Regulatory Management System (CRMS) comprising regulations and instructions.

**Tasks and Responsibilities**:
Under the supervision and guidance of the Director for Management and Finance (D/DMF), as Senior Information Security and Risk Management Officer, you will be responsible for the following:
Managing the OSCE-wide information security, and developing and maintaining an Information Security Management System;
Establishing common information security policy, vision, objectives and principles across the OSCE;
Protecting and managing the integrity, confidentiality and availability of information assets and information systems;
Working with executive management to determine acceptable levels of risk for the OSCE;
Managing the design and implementation of the program of risk assessment, security assurance (compliance) and security monitoring;
Acting as focal point for information security and managing the development of information classification, implementation of ISO standards, cyber incident response arrangements including that of business continuity and disaster recovery;
Managing the development, maintenance and publishing of OSCE information security guidelines; managing the development of the OSCE security incident and event management tools with forensic capability and appropriate incident response from cyber-attacks; ensuring that ICT strategy and architecture takes into account information security requirements while remaining responsive to business requirements;
Collaborating on the approaches needed to secure the Organization; facilitating the sharing of advice and knowledge (expertise) across executive structures; guiding the utilization of common management tools; and overseeing all common information security investments;
Overseeing the development and maintenance of an OSCE-wide documented risk management system; ensuring that the Common Regulatory Management System adequately addresses the needs of the OSCE and proposing enhancements through new or revised Financial Administrative Instructions or other policies based on needs identified through the risk management process and through various activities related to monitoring of internal controls;
Performing other duties as required.

**Necessary Qualifications**:
Second-level university degree with specialization in information systems, information security, computer science and/or business administration; a first-level university degree in combination with two years of additional qualifying experience may be accepted in lieu of the second-level university degree;
At least eight years of relevant professional experience in a large public organization, and/or at a senior management level in a national or international organization or business enterprise;
Experience in developing and maintaining Enterprise Risk Management Systems;
Experience in advising on policy issues and priorities and formulating policy, plans and procedures;
Experience in organizing and delegating work and supervising staff;
Excellent written and spoken communication skills in English; knowledge of another OSCE official language is desirable;
Demonstrated gender awareness and sens