DV Cleared - Supplier Security Lead- Outside IR35

Role: Supplier Security Lead - DV Cleared (Contract Outside IR35)

Engagement: UK Public Sector - Oracle ERP Managed Service

Duration: Length of the managed service contract

Location: UK only. Hybrid with attendance at client locations across the UK. Some client secure-area work required.

Security clearance: DV (Developed Vetting) and UK Nationality - MANDATORY. Pre-cleared candidates strongly preferred.

Reports to: Account/Engagement Director

Key interfaces: Client security lead, client Information & Security function, client Security Operations Centre, internal Service Delivery Manager, Incident Manager, third-party software vendor.

1. Role purpose

The Supplier Security Lead is our accountable security owner for the managed service. The role leads on, and has day-to-day operational responsibility for, service security - working in collaboration with the client's Information & Security function, the client Security Operations Centre (SOC), the internal delivery team, and the third-party software vendor. This is a contractually-named DV-cleared key role and is a PASS/FAIL requirement under the Conditions of Participation.

2. Context

The service processes HR, Finance and Project data including OFFICIAL-SENSITIVE personal and financial data of UK civil servants and locally-engaged staff across a large international footprint. The contractual security regime spans UK Government security policy, NCSC HMG IAS5, GDPR/DPA 2018, PCI-DSS where applicable, and the client's Cyber Security Incident Response Plan. The SOC is operated 24×7 by the client and the Supplier is required to integrate, report into and support it.

3. Key accountabilities

• 3.1 Day-to-day security leadership: Lead and own day-to-day operational responsibility for service security across OPERATE and DEVELOP. Advise the client on security status and matters; identify and address risks; continuously maintain and improve the security posture. Act as the authoritative security voice in the client's Design Authority and Enterprise Architecture forums for security-impacting changes.
• 3.2 Clearance, vetting and access: Own the clearance pipeline: ensure all Supplier staff who hold, process or discuss client data are SC-cleared UK Nationals as a minimum, and that the named DV roles plus all 'full administrator' staff are DV-cleared UK Nationals. Manage client-sponsored SC and DV applications from the start of Transition, conducting reasonable diligence checks in advance. Oversee joiner/mover/leaver, privileged access management (PAM), role-based access control (RBAC), and the monthly audit report on RBAC and environment access.
• 3.3 Security operations and SOC integration: Provide the required reports to the client SOC in agreed format and frequency. Support the SOC in resolving security incidents; document security use cases with the SOC; implement, maintain and support those SOC infrastructure components hosted within the cloud infrastructure. Co-ordinate response to security incidents with the client's Cyber Security Incident Response Plan and ensure the Incident Manager and Service Delivery Manager are informed and aligned.
• 3.4 Assurance, audit and compliance: Treat information security issues, weaknesses or deficiencies identified by the client as Security Incidents under the client's Cyber Security Incident Response Plan. Provide client auditors with access to security documentation, configurations of security-enforcing technologies, standards and procedures. Collaborate with the client to plan and conduct annual PenTest and regular Disaster Recovery exercises. Ensure GDPR/DPA 2018 obligations are met; oversee data retention, secure disposal, lawful processing, and Data Protection Impact Assessments where required.
• 3.5 Technical security controls: Define, document, agree and maintain Standard Operating Procedures for system administration and maintenance, with procedural controls per user role. Ensure authorisation controls prevent extraction of information assets without legitimate need. Ensure only client-issued devices are used to connect to the service in delivery. Maintain a data back-up policy aligned to Business Impact Assessment and the client's retention policy. Enforce removable-media scanning, network segregation, least-privilege access, location-based access controls, and unique user IDs. Ensure all Supplier work on the service is conducted exclusively from within the UK from client-approved secure areas.
• 3.6 Communications and notification: Maintain regular communication with the client throughout the contract. Promptly notify the client of any changes to directors, key security personnel, business ownership (including acquisitions) or physical operating locations. Report any major security breaches within the Supplier's own ICT estate to the client.

4. Essential experience and skills

Substantial experience as an accountable security owner on a UK Central Government managed-service contract handling OFFICIAL-SENSITIVE data. Deep working knowledge of NCSC HMG IAS5, NCSC Cyber Assessment Framework (CAF), Cyber Essentials Plus, ISO/IEC 27001, GDPR and DPA 2018. Hands-on experience integrating with a UK Government SOC, including SIEM reporting, security use case design and incident response co-ordination. Practical experience of Oracle Cloud security - OCI IAM, vault, network security, audit, PAM - and Oracle SaaS application security (HCM/ERP/EPM RBAC, segregation of duties, data masking). Experience commissioning and overseeing PenTesting, vulnerability management, and Disaster Recovery exercises in a UK Government context. Proven experience leading UK Government clearance pipelines: SC and DV sponsorship, due diligence, joiner/mover/leaver workflows. Strong written communication for government-grade audit, assurance and governance reporting. Comfortable as a named security accountable individual in formal governance and contractual reporting.

5. Essential clearance and eligibility

DV clearance and UK Nationality - contractually mandatory (PASS/FAIL). Pre-cleared candidates strongly preferred. Candidates without current DV may be considered only if SC-cleared with a credible DV application route through client sponsorship at the start of Transition. Willing and able to work exclusively from within the UK. Willing to attend client secure areas across the UK as required.

6. Desirable

CISSP, CISM, CCP (CESG Certified Professional) IA Architect/IA Auditor/SIRA, or equivalent senior security certifications. Oracle Cloud Security certifications (OCI Security Professional, Oracle Cloud Identity & Security Architect). Prior experience of an Oracle ERP-on-OCI security model at scale (HCM, ERP, EPM, VBCS, BI/Analytics). Familiarity with UK Government security operating context, including overseas-network considerations, locally-engaged staff data, and HMG personnel security policy. Experience supporting PCI-DSS compliance where payment card data is in scope.

7. Personal attributes

Authoritative without being abrasive - able to say 'no' to delivery pressure and explain why in business terms. Detail-oriented on policy, controls and evidence; pragmatic on operational trade-offs. Comfortable owning a named, individually-accountable role under public-sector contractual scrutiny. Visible collaborator with client security counterparts, third-party vendors, and internal service leadership.

8. Key performance indicators

• 100% of in-scope staff hold valid SC or DV clearance, with no operational delivery delayed by clearance gaps.
• SOC reporting delivered in agreed format and frequency, with zero material reporting failures.
• Annual PenTest and DR exercises completed on plan, with remediation tracked to closure.
• Zero Category 1 information security breaches attributable to Supplier controls.
• Monthly RBAC and environment-access audit reports delivered on time, with audit findings closed within agreed SLAs.
• Clean external audit outcomes (internal audit, GIAA, or comparable).