Digital Forensics Incident Response Lead in Newcastle Upon Tyne

This role is an exciting position in the Cyber Resilience Centre, part of DWP Security and Data Protection. The Security Monitoring & Investigations Team (SMI) plays a vital role in securing the DWP estate; ensuring that service delivery is not affected by potential malicious activity from either internal or external threat actors. The team operates in a dynamic environment at the forefront of the Department's cyber protection capability.

The Digital Forensics Incident Response Lead will lead and direct technical investigations including digital forensics, that arise from security incidents. They will be responsible for ensuring that all legal and internal compliance standards are maintained and for producing and reviewing technical reports with appropriate recommendations. They will provide expert technical advice to all internal stakeholders and will work with teams across DWP to develop and improve cyber response strategies and forensic and investigation capabilities.

They will be actively involved in all stages of incident response, from identification and containment through to eradication and recovery. They will respond quickly and decisively to minimise the impact of any cyber-attack to the organisation and will make appropriate recommendations to prevent an incident from recurring. They will manage and develop a virtual team of analysts focused on the identification and investigation of cyber security incidents, as well as the proactive detection and investigation of potential indicators of compromise or malicious activity on DWP systems. They will provide co-ordination of the technical response to security incidents, collaborating with stakeholders across the DWP to ensure effective and proportionate mitigations are applied.

Responsibilities

• Support the DWP Security Incident Response Team (SIRT) by providing expert technical input to ongoing investigations in relation to the mitigation, detection and response to potential cyber-attacks.
• Deliver the team strategy, implementing agreed policies, standards and processes as required to support the work of the Digital Forensics Incident Response Team.
• Lead and direct forensic investigations that arise from security incidents ensuring that all legal and internal compliance standards are maintained and that all outputs and reports are fit for purpose.
• Provide expert technical advice to internal DWP stakeholders as well as DWP partners and work across the Department to develop and improve cyber response strategies and forensic and investigation capabilities.
• Receive, analyse and interpret reports of technical, threat and vulnerability information from all sources of intelligence. This includes outputs from DWP systems as well as intelligence from OGD partners; knowledge exploitation, and open-source information. Use the information for the identification of threats across the DWP estate.
• Produce and review technical reports following security incident investigations, including recommendations for resolving or mitigating control failures and actively contribute to lessons learned exercises.
• Lead, direct and manage a virtual team of security analysts focused on the technical investigation of security incidents, ensuring resources are assigned to the key threat areas and workloads organised appropriately to deal with competing demands.
• Direct and co-ordinate technical incident response activities across the wider DFIR function, providing effective communications and coordinating activities across the team, involving expert domains and stakeholders timeously, as appropriate, to ensure an effective and cohesive response.
• Perform complex analysis in a high-pressure environment encouraging analysts to demonstrate adaptability and creativity, always demonstrating professionalism, and upholding the team's credibility across DWP.
• Provide timely intervention to protect the DWP IT Estate through operating and directing containment processes to isolate and prevent the spread of attacks.
• Develop influential relationships with key stakeholders across the Department to support improvement activities to mitigate the risks from malicious activity.
• Adhere to Association of Chief Police Officers (ACPO) guidelines for investigations, maintaining chain of custody records for evidential or intelligence items.
• Present evidence as appropriate, acting as an expert witness if necessary.

The Security Monitoring and Investigations team operates 24 hours a day, 7 days a week and as a result, post holders may be required to work as part of an on-call rota and to work outside of usual office hours as investigations dictate. Travel to different DWP sites and Government agencies with occasional overnight stays will also be required.

Essential Criteria:

• Proven track record in cyber security or digital forensics, with experience using a variety of cyber security and digital forensic tools and of analysing large datasets. This should include supporting qualifications and applicable experience.
• Experience of working within the confines of relevant legislation as it applies to cyber security and digital forensics activities.
• Proven experience of leading and managing technical investigations, assessing risk and managing and developing a team. Evidence of ability to develop and follow incident response plans.
• Extensive knowledge of the cyber environment, including knowledge and experience of the breadth of threat actors and depth of threat vectors available. Understand the threats to the Department's environments and the wider digital infrastructure government, commercial and personal.
• In-depth knowledge of the legislation governing the collection and analysis of intelligence and evidential material, including its disclosure.
• Demonstrable evidence of delivering at pace with the ability to prioritise conflicting tasks with the resources available.
• Knowledge of malware analysis and advanced incident response techniques including memory forensics and network traffic analysis. Experience of conducting forensic investigation in Cloud and virtualized Environments.

Technical skills

We'll assess you against these technical skills during the selection process:

• Forensics (Government Cyber Security Profession Skills Framework Practitioner level)
• Incident Management, Incident Investigation and Response (Government Cyber Security Profession Skills Framework Practitioner level)
• Intrusion Detection and Analysis - (Government Cyber Security Profession Skills Framework Expert level)
• Threat Understanding - Government Cyber Security Profession Skills Framework Practitioner level)

Benefits

Alongside your salary of £55,557, Department for Work and Pensions contributes £16,094 towards you being a member of the Civil Service Defined Benefit Pension scheme. DWP have a broad benefits package built around your work-life balance which includes:

• Working patterns to support work/life balance such as job sharing, term-time working, flexi-time and compressed hours.
• Generous annual leave at least 23 days on entry, increasing up to 30 days over time (prorata for part time employees), plus 9 days public and privilege leave.
• Support for financial wellbeing, including interest-free season ticket loans for travel, a cycle to work scheme and an employee discount scheme.
• Health and wellbeing support including our Employee Assistance Programme for specialist advice and counselling and the opportunity to join HASSRA a first-class programme of competitions, activities and benefits for its members (subscription payable monthly).
• Family friendly policies including enhanced maternity and shared parental leave pay after 1 years continuous service.
• Funded learning and development to support progress in your role and career. This includes industry recognised qualifications and accreditations, coaching, mentoring and talent development programmes.
• An inclusive and diverse environment with opportunities to join professional and interpersonal networks including Women's Network, National Race Network, National Disability Network (THRIVE) and many more.