National It Security Officer

Position Title: National IT Security Officer (Application Security) Duty Station: Manila, Philippines Classification: National Officer/NO-C Type of Appointment: Fixed term, one year with possibility of extension Estimated Start Date: As soon as possible Closing Date: 04 September 2019
Established in 1951, IOM is a Related Organization of the United Nations, and as the leading UN agency in the field of migration, works closely with governmental, intergovernmental and non-governmental partners. IOM is dedicated to promoting humane and orderly migration for the benefit of all. It does so by providing services and advice to governments and migrants. IOM is committed to a diverse and inclusive environment. Internal and external candidates are eligible to apply to this vacancy. For the purpose of the vacancy, internal candidates are considered as first-tier candidates.Â
Context:  The National IT Security Officer (Application Security) position is based in Manila Administrative Centre (MAC), headed by the Director of MAC. The Information and Communications Technology (ICT) is one of the Divisions with its operations delocalized to MAC. Under the overall supervision of the Senior Information Security Officer and direct supervision of the Information Security Officer, the successful candidate will be responsible for analysing system services, operating systems, networks and applications from a security perspective, and should be skilled at discovering security issues that appear under new threat scenarios. He/she will ensure that IOM in-house developed applications are designed and implemented to the highest security standards and resilient to the modern threats.Â
Core Functions / Responsibilities:  • Assume overall, direct responsibility for the successful design and implementation of the entire application security strategy of IOM. • Support the development and dissemination of policies, operational guidance, instructions, tools and analytical frameworks aimed at ensuring that internally developed applications are secure and in accordance with IOMâ??s regulations, rules, policies and procedures. • Maintain strong contacts with relevant internal development teams to review, assess, design and implement a program that integrates security into the build/release pipelines to validate that code is secure before it goes to production. • Evaluate and recommend use of Machine Learning, Artificial Intelligence, and data analytic services to improve the security of IOM in-house developed applications worldwide. • Lead training initiatives aimed to build IOM country officeâ??s capacity in building secure code. • Build, maintain and advocate application security development policies, procedures and standards to secure applications developed by IOM Country Offices worldwide. • Lead the application penetration testing of in-house developed applications at a global level. • Reviews application architectures and implementation details for design flaws, incorrect security implementation and missing security controls. • Maintain contacts with Application Owners and Systems Teams to onboard applications for automated source code and binary reviews using enterprise-class static analysis platform. • Engage application development teams, schedule application vulnerability scans, and ensure that schedule is met while advising and guiding them in the successful remediation of identified vulnerabilities. • Lead IOMâ??s DevSecOps initiative by educating developers and DevOps around the plan, policies and best practices. • Support DevOps on building security automation and achieve scalability • Coordinate application and infrastructure defense mechanisms to increase prevention, detectability and containment capabilities. • Develop applications metrics for performance and risk monitoring. • Develop an automated framework for Security Tool deployment and development, leveraging various scripting languages and open source solutions. • Plan, implement, upgrade and monitor security measures related to computer networks and software testing and validation procedures, programming and documentation (AWS, Azure Cloud Security, Application Security, Vulnerability Management, Machine Learning, AI Sandboxing). • Design API Security, Container Security, AWS Cloud Security. • Advocate and provide guidance on the planning, design, implementation and improvement of system security taking account of current best practice, legislation and regulation.Â
Required Qualifications and Experience Education • Masterâ??s degree in computer sciences, Engineering or relevant field from an accredited academic institution, with five years of relevant professional experience; or, • Bachelorâ??s degree in computer sciences, Engineering or relevant field from an accredited academic institution, with seven years of relevant professional experience Information security certifications (CSSLP, OSCP, CEH, SANS or Cloud computing, CISA, GIAC, CASS) or proper tools certifications (Fortify, WebInspect, Checkmarx, etc.) is an advantage.Â
Experience • 5+ yearsâ?? experience in Application-level vulnerability testing and auditing and Application security; • 3+ years of experience and involvement with development team(s) that delivered commercial software or software-based services (development, QA testing, or security role); • 1+ years relevant security analysis work experience (security consulting or penetration testing); • Experience working on a team with security responsibilities for a SaaS or PaaS solution, preferably in AWS; • Knowledge of configuration management tools (Chef, Puppet, etc.) and command execution frameworks; • Have experience with security testing at scale by building and implementing static and dynamic analysis tools, open source scanning tools and integrating security into a CI/CD workflow; • Have hands-on experience with tools and technologies used throughout secure SDLC (e.g., Burp Suite, Fortify/Checkmarx /Veracode, WhiteSource/Blackduck); • DevOps container/orchestration tools (Kubernetes, Docker, Puppet, etc.); • Experience automating and integrating security operations into DevOps processes; • Experience with SIRP, SIEM, and IDS solutions; • In-depth understanding of secure SDLC and secure SDLC models; • Experience securing containerized applications; • Development experience in .NET, Java and C++; • Experience with scripting languages (e.g. python, ruby, bash); • Experience in Linux OS hardening (CentOS, RedHat preferred); • Ability to translate technical security vulnerabilities into business risk/impact to applications; • Experience in conducting security checks (static and dynamic code analysis, vulnerability analysis in applications and penetration tests); • Experience with OWASP TOP 10 and secure coding techniques to avoid known cross-language as well as platform-specific weaknesses; • Knowledge of security in mobile applications (REST security, JSON, OpenID, OpenAuth, WebToken, SSO); and, • Strong knowledge scripting and automation.Â
Languages Fluency in English is required. Working knowledge of French and/or Spanish an advantage.Â
Required Competencies Values  • Inclusion and respect for diversity: respects and promotes individual and cultural differences; encourages diversity and inclusion wherever possible. • Integrity and transparency: maintains high ethical standards and acts in a manner consistent with organizational principles/rules and standards of conduct. • Professionalism: demonstrates ability to work in a composed, competent and committed manner and exercises careful judgment in meeting day-to-day challenges.
Core Competencies â?? behavioural indicators level 2 • Teamwork: develops and promotes effective collaboration within and across units to achieve shared goals and optimize results. • Delivering results: pproduces and delivers quality results in a service-oriented and timely manner; is action oriented and committed to achieving agreed outcomes. • Managing and sharing knowledge: continuously seeks to learn, share knowledge and innovate. • Accountability: takes ownership for achieving the Organizationâ??s priorities and assumes responsibility for own action and delegated work. • Communication: encourages and contributes to clear and open communication; explains complex matters in an informative, inspiring and motivational way.Â
How to apply: In order for an application to be considered valid, IOM will only accept applications which should include a cover letter (not more than one page) and résumé highlighting the required education and experience or a duly completed IOM Personal History Form. To access the form, please visit https://www.iom.int/sites/default/files/vacancy/MAC/iom-personal-history-form1.xlsx Interested applicants may send their applications to ********** no later than 04 September 2019 . VN Number and Position Title ( VN 028/2019 â?? National IT Security Officer (Application Security) ) should be specified in the SUBJECT field.Â
IOM values equal opportunity and workplace diversity.Â
Only short-listed candidates will be invited for an interview.Â
Posting period: Â From 21.08.2019 to 04.09.2019
The National IT Security Officer position is under the direct supervision of the InfoSec Officer, he will be responsible for analysing system services, operating systems, networks and applications from a security perspective.