Eu- Workplace Security Specialist

**DESCRIPTION OF THE TASKS**

Generally, this contract will support some of the multiple Security aspects on IT in Eurostat, by:

- Providing support conducting security risk assessments according to the IT Security Risk methodology used within the European Commission,
- Providing support to the different stakeholders during the preparation or update of their Information Systems security plans,
- Providing security studies associated with present or future Information System projects, and the integration of different security technologies in Eurostat IT environment.
- Providing technical expertise for the implementation of the necessary technical measures required to implement effective solutions for mitigating security risks (e.g. integration of security related technologies, identity and access management).
- Providing support for the training & awareness activities on the IT Security topics.
- Supporting security assessments on Eurostat Information Systems for compliance reporting in the context of specific audits or EC mandatory IT Security attestation exercises.
- Providing generic support on IT security aspects as required. Some task examples to be covered by this contract are described below.

**TASK 1: IT SECURITY RISK ASSESSMENT FOR EUROSTAT INFORMATION SYSTEMS**

The general purpose of task #1 is provide support on the preparation or update of the IT Security Risk assessments for Eurostat Information Systems.

The main existing tools/environments to be taken into account for this task are:

- Eurostat Information Systems.
- ITSRM Methodology, Templates and artefacts.
- GovSec.RM online platform.
- GRC.Risk on Service Now platform.

This task comprises: Working in coordination with the assigned officials in Eurostat to conduct the IT security risk assessments:

- Participate in the interviews with all the relevant stakeholders (on site/ videoconference).
- Collaborate to prepare/update the risk assessment for the Eurostat Information Systems using ITSRM methodology.
- Provide technical support to complete templates for each Risk assessment and their introduction into GovSec.RM and GRC.Risk tools.
- Collaborate with technical support during the approval process (on site / off site).
- Support the solutions included in each Risk assessment when presented to the relevant stakeholders (on site/ videoconference).

Expected deliverables are:

- IT Security Risk Assessment artefacts, including completed templates, minutes of meetings with the relevant stakeholders.
- Encoded IT Security Risk Assessment introduced in the GovSec.RM and/or GRC.Risk tools.

**TASK 2: IT SECURITY PLANS FOR EUROSTAT INFORMATION SYSTEMS PRODUCTION/UPDATE**

The general purpose of task #2 is to produce new (or update the existing) IT Security Plans for Eurostat Information Systems. The main existing tools/environments to be taken into account for this task are:

- Eurostat Information Systems.
- ITSRM Methodology, Templates, artefacts and GovSec.RM/GRC.Risk tools.
- Previous versions of the IT Security plans in place. This task comprises: Working in coordination with the assigned officials in Eurostat to draft the IT Security Plan documents, including the design, implementation and support of effective solutions for mitigating identified security risks:

- Participate in the interviews with all the relevant stakeholders (on site/ videoconference).
- Collaborate to prepare/update the IT Security Plans for the Eurostat Information Systems according to ITSRM methodology.
- Provide technical support to complete each IT Security Plan with the relevant documentation required.
- Collaborate with technical support during the approval process (on site / off site).
- Support the solutions included in each IT Security Plan when presented to the relevant stakeholders (on site/ videoconference).

Expected deliverables are:

- IT Security Plans artefacts, including completed templates, minutes of meetings with the relevant stakeholders and the approval process.
- IT Security Plans approved.

**TASK 3: SUPPORT IT SECURITY COMPLIANCE REPORTING AND EVOLUTION ON THE CONTEXT OF ESS IT SECURITY FRAMEWORK
Between 2021 and 2022, Eurostat underwent a security audit conducted by an external company. This audit certified that Eurostat reached the required level of security to handle statistical confidential data as defined in the ESS IT Security Framework. The objective of task #3 is to provide support to Eurostat to monitor and maintain the security level of information systems required to keep the certification during the current cycle and provide security studies associated with the potential evolution of the ESS IT Security framework. This audit is currently based on the ISO 27000 framework (ISO 27002 more specifically). The audit checks compliance items such as information security policies, asset management, access control and operations security. For each item, evidences will be provided: electronic documents, screenshots, papers, configuration fi