Senior Cloud Security Engineer
JOB DETAIL
TERMS OF REFERENCE
Title of Assignment: Senior Cloud Security Engineer
Name of unit/sector: Security and Information Assurance Division, Administration, Finance and Management Sector
Place of Assignment: WIPO Headquarters, Geneva, Switzerland
Expected duration of assignment: up to December 31st, 2024
1. Objective of the assignment
a. Organizational Setting
The World Intellectual Property Organization (WIPO), a self-funding UN agency with 193 member states, serves as a central hub for intellectual property services, policy, and cooperation globally. Its Cloud Center of Excellence (CCoE), within the Information Technology and Communication Division (ICTD), is responsible for managing cloud services and contracts for IT projects. The CCoE, in partnership with the Security and Information Security and Assurance Division (SIAD), plays a vital role in advancing WIPO’s cloud infrastructure and security strategies. A Senior Cloud Security Engineer in the CCoE will be instrumental in implementing security measures for the WIPO PCT Resilience and Security Program (RSP) during 2024-2025, focusing on bolstering cybersecurity resilience across WIPO’s hybrid multi-cloud PCT systems.
b. Objective Statement
The key objective for this role is the timely, efficient, cost effective and successful implementation of the defined preventative, detective, containment and responsive controls, the full technical documentation required by the Cloud Center of Excellence Operation team and the training of WIPO’s cloud security administrators as detailed below:
• Detailed Design creation and approval: Develop a comprehensive security design to guide the implementation and management of cloud-based information security controls. This design will address the PCT RSP’s and WIPO’s security requirements, encompassing endpoint, network, IAM, cryptography, posture management, application security, and monitoring.
• Security Controls implementation: Collaborate proactively with the RSP Project Manager and Senior Information Security Architect, along with other crucial stakeholders, to effectively establish, execute, and adjust security controls in alignment with the project’s strategic architecture and detailed design. This collaborative effort is aimed at ensuring seamless integration and configuration of security measures, thereby guaranteeing adherence to project timelines and compliance with specified requirements, all while maintaining the highest standards of efficiency and project alignment.
• Post-implementation documentation &Training: Develop high-quality comprehensive post-implementation documentation, including transition-to-operation guides, security administration procedures, and hands-on training materials for security administrators.
2. Duties/Deliverables
a) Duties
a. Technical Security Documentation: Collaborate with the Senior Information Security Architect, Information Security Engineer, and Cloud Solution Architect to develop detailed designs and operational transition documents for the RSP Project. This will align with the approved security architecture and patterns. Also, create comprehensive procedures for security and technical administrators for tasks that are not fully automatable.
b. Information Security controls enablement: Work with the Senior Information Security Architect, the Information Security Engineer, and the Cloud Solution Architect to deploy, enable, configure, integrate, and initially administer all the required cloud-based information on Azure and AWS.
i) Data security and information protection: Collaborate with stakeholders to implement and manage data security solutions, including classification, DLP, encryption (data-at-rest, in-transit, and in-memory), Cloud KMS, and lifecycle management. Utilize tools like AWS Macie, Microsoft Purview DLP, Azure Information Protection, and others for setup and configuration.
ii) Identity and access management: Collaborate with the Senior Security Architect, Security Engineer, and IAM Specialist to deploy and manage IAM systems, including RBAC, ABAC, 2FA, and PAM, aligned with approved IAM Patterns. This involves configuring and automating IAM policies to ensure separation of duties, least privilege, and need-to-know principles in PCT systems, using tools like AWS IAM, Microsoft Entra, CyberArk, and Microsoft Entra PIM.
iii) Application Security integration: Collaborate with the Senior Security Architect, Application Security Specialist, and Cloud Solution Architect on the PCT RSP to conduct application security tests and manage cloud security issues. Serve as the main contact for coordinating application security remediation between the Application Team and Information Security.
iv) DDOS protection & Response: Collaborate with the network security engineer, Senior Security Architect, and application security specialist to set up and manage a centralized cloud DDoS protection system across all PCT cloud systems, utilizing AWS Shield Advanced.
v) Network Security: Collaborate with the Senior Security Architect, Network Security Engineers, and Application Security Specialist to set up firewalls, enable DNS security, and deploy WAFs for customer-facing systems, including CDNs, load balancers, and API gateways, using AWS WAF, CloudFront, security groups, DNS Firewall, and Checkpoint CloudGuard.
vi) Endpoint security, Container, Serverless and security operation support: Collaborate with the iSOC Manager to deploy, configure, and manage Threat Detection services, encompassing security hardening, central deployment of advanced EDR and AV agents, AWS Guardduty setup, container security, and vulnerability assessments using tools like Crowdstrike CSPM and AWS Inspector. Ensure comprehensive logging for SIEM integration using AWS S3, CloudWatch, and AWS Security Lake.
vii) Oversee the transition to operation: Work with the relevant stakeholders to oversee the transition to operation activities specifically for information security controls.
viii) Train Security Administrator, Solution architect and developers: Work with the relevant stakeholders to ensure that the security administrators, cloud solution architect and application architect are trained on the secure configuration of the controls which pertains to their specific domain of expertise.
ix) Level III Support: Provide level II support for cloud related incident and problem management involving specific Cloud security mechanisms.
The workload will include the above objectives/tasks and participation in Project meetings (requiring active participation and contribution as well as document preparation) as well as Security Architectural meetings pertaining to the PCT RSP Program.
b) Deliverables
• Milestone 1: Approved Detailed Security design for all Phases of the RSP Project.
o Objective: To finalize and receive approval for the comprehensive security design covering all phases of the RSP project.
• Milestone 2: Holistic and Efficient Implementation of Required Information Security Controls
o Objective: To implement the planned information security controls effectively and in a manner that covers all aspects of the security design
• Milestone 3: Acceptance of Post-Implementation Documentation and Satisfactory Training
o Objective: To ensure all project documentation is complete, up-to-date, and accepted, and that relevant personnel are adequately trained.
• Clean Penetration Test, CSPM Misconfiguration Check for New Control Implemented.
o Objective: validate the security of the newly implemented controls through penetration testing and ensure no misconfigurations exist, particularly in Cloud Security Posture Management (CSPM)
3. Reporting
The incumbent works under the supervision of the Head of Information Security Section.
4. Profile (e.g. area of specialization/expertise, specific knowledge/skills/experience)
Education
Essential
• Advanced university degree in information security, computer science, engineering, mathematics, business, or related discipline. A first-level university degree in a relevant discipline plus two years of relevant experience in addition to the experience requested below may be accepted in lieu of an advanced degree.
• CISSP
• AWS Certified Security Specialist certification
• Microsoft Certified Azure Security Engineer Associate
• Microsoft Certified: Information Protection and Compliance Administrator
• AWS Certified Solution Architect Associate
Desirable
• Additional certifications such as, Microsoft Azure Solution Architect Associate
• CISSP-ISSEP and or CCSP Certification
• ITIL Foundation
• Prince2 Foundation.
Experience
Essential
• At least 10 years of experience in the Information technology engineering with a minimum of 7 Years of experience as a Senior Security Engineer/Specialist, 5 years in Senior cloud security Engineer or similar position in regulated sectors (finance preferred).
• Skilled in detailed designing, deploying, enabling, configuring, testing, tuning, automating, administering AWS/Azure security controls.
• Adept in IT Security management, focusing on infrastructure, network, encryption, identity/access, endpoints, apps, data security, containers, serverless tech with expertise on at least 3 of the domains listed above.
Technical skills
The candidate is expected to have:
• Familiarity with a broad range of technologies supplemented by in-depth knowledge in AWS and AZURE security services, mechanisms, and features.
• Possess extensive expertise in Cloud Security Engineering, Cloud Security Architecture, Cloud IAM, Hybrid Multi-Cloud Strategy, and Cloud Automation technologies. Familiar with cloud compliance and governance frameworks like NIST, CIS, CSA CCM, and AWS Well-Architected Framework. Skilled in Information Security Engineering, Security Compliance as code, technical documentation, and requirements and architectural analysis
• The ideal candidate should have significant experience in automating security solution deployments on AWS and Azure, utilizing their native Infrastructure as Code (IaC) for efficient setup. This includes deep knowledge of AWS and Azure security tools, expertise in integrating various cloud-native security services, and skills in optimizing for performance and scalability. They should also be adept at technical documentation, understanding architectural frameworks, and providing advanced IT support.
Desirable
• Experience in scripting for security automation, Crowdstirke EDR &CSPM, Zcaler SASE, LogRhythm SIEM. Azure Sentinel.ISO27001, Prince2 Project management Methodology and or Agile
Soft skills
Essential
• Excellent analytical and pay attention to details.
• Working under Minimum Supervision
• Excellent interpersonal skills with the ability to establish and maintain effective partnerships and working relations in a multi-cultural environment with sensitivity and respect for diversity.
Language
Essential
Excellent written and spoken knowledge of English.
Desirable
Knowledge of other UN official languages, particularly French.
5. Duration of contract and payment
WIPO is looking for a nearshore candidate for 12 months renewable.
The applicant shall provide an indication of their remuneration expectations in US Dollars (daily rate). The contract may be renewed upon satisfactory performance and availability of funds.
