The Incident Management Team are the front-line operational arm of the HMRC Cyber Security Team, responsible for protecting the confidentiality, integrity and availability of HMRC online services and data assets. The team and the successful individual undertake the following 3 core activities:

Detect and Identify
Prepare to Respond
Response and Remediation

The Detect and Identify function of the Incident Management Team consists of monitoring, analysis and triage activities. The successful candidate will use technical tools to check and maintain the health of the HMRC online services and user devices. Analysis of big data sets is undertaken to identify suspicious or malicious activities which is triaged before lower level investigation and response activities can take place.

The Investigation & Response function of the Incident Management Team look to investigate, contain, remediate and prevent future re-occurrence of identified malicious traffic or incidents.

The team includes Apprentices, Fast-streamers and Industrial Placements (on a sandwich year from university) as well as established analysts.

The "Senior Cyber Security Analyst" will predominantly undertake the core roles and functions of the Investigation and Response Team.

See what it's like to work at HMRC: "https://hmrc-jobs.career-inspiration.com/app/home", find out more about us or ask our colleagues a question.

Person specification

• Work with the Incident Response coordinators to investigate and respond to complex incidents coordinating the actions of analysts and other stakeholders.
• Subject matter experts in host and network digital forensics, malware analysis and programming, along with secure service and infrastructure design.
• In-depth knowledge of technical security controls such as SIEMs, EDR, firewalls, WAFs, proxies, IDS and zero trust.
• Ensure the prompt analysis of anomaly detection tools to help identify security breaches, cyberattacks, and reporting activity.
• Maintain and develop use case detections and response tasks using Mitre Att&ck Framework.
• Exercise, tune and innovate security incident playbooks/standard operating procedures.
• Maintain and improve in team workflows and procedures.
• Taking ownership of CST's cases and following CST tickets to full resolution state - in line with CST procedures.
• Collaborative working with external suppliers.
• Perform analysis and forensics on computer/network artefacts and malware samples to assess the impact of an incident, document attack capabilities, understand propagation characteristics and define signatures for detecting its presence.
• Line management of analysts: Direct and coordinate their work and provide expert technical support.
• Manage the performance and development of cyber security staff.
• Deputise as Incident Response Coordinator.

Essential Criteria

• Experience of using a variety of analytical tools to identify security compromises within large amounts of complex data.
• Experience of analysing large datasets to find unusual system and user behaviours.
• Knowledge of multiple technical environments, including but not limited to, cloud, networking, operating systems, databases.
• Exposure to the cyber security, including knowledge and experience of the breadth of threat actors and depth of threat vectors available.
• Knowledge of using digital forensic and malware analysis tools, whether that be commercial products or open source.
• An understanding of the structures underpinning corporate IT systems and how these structures can be compromised and exploited.
• Proven understanding of security monitoring, intrusion detection, prevention and control systems including firewalls, anti-virus, web proxies.
• Experience or understanding of security incident management frameworks and their practical application during an incident.

Desirable Criteria

• Degree majoring or including Cyber Security / Digital Forensics.
• Incident Response (DFIR)/Malware Analysis.
• Recent working experience of working in a SOC (Security Operations Centre).
• Technical Certifications such as SANS, CompTIA and ISC2

Additional Security Information

Successful candidates must meet the security requirements before they can be appointed. The level of security needed is Security check (SC).

Full Time Only

Due to operational needs, these posts are full-time; however, applicants who need to work a more flexible arrangement are welcome to apply. We can't guarantee that we can meet all requests to work flexibly as any agreement will be subject to business ability to accommodate. Any request to work a more flexible arrangement should be made prior to your acceptance of the provisional offer.

Transitional Sites

For more information on where you might be working, review this information on our locations .

If your location preference is for one of the following sites, it's important to note that these are not long-term sites for HMRC and we will require you to move to a new building in the future, subject to our location strategy and the applicable employee policies at that time.

These sites are:

• Telford Plaza, Telford - moving to Parkside Court, Telford

You will be given more information about what this means at the job offer stage

Leeds Locations

Moves Adjustment Payment will be available for this role, provided the successful applicant is a current HMRC colleague and meets the eligibility requirements outlined in the HMRC's Moves Adjustment Payment guidance.

Behaviours

We'll assess you against these behaviours during the selection process:

• Making Effective Decisions
• Changing and Improving

Technical skills

We'll assess you against these technical skills during the selection process:

• Questions relating to Cyber Security.

Benefits

Alongside your salary of £37,682, HM Revenue and Customs contributes £10,916 towards you being a member of the Civil Service Defined Benefit Pension scheme. Find out what benefits a Civil Service Pension provides.

HMRC operates both Flexible and Hybrid Working policies, allowing you to balance your work and personal commitments. We welcome applications from those who need to work a more flexible arrangement and will agree to requests where possible, considering our operational and customer service needs.

We offer a generous leave allowance, starting at 25 days and increasing by a day for every year of qualifying service up to a maximum of 30 days.

• Pension - We make contributions to our colleagues' Alpha pension equal to at least 28.97% of their salary.
• Family friendly policies.
• Personal support.
• Coaching and development.

To find out more about HMRC benefits and find out what it's really like to work for HMRC hear from our insiders or visit Thinking of joining the Civil Service

Things you need to know

Selection process details
This vacancy is using Success Profiles (opens in a new window) , and will assess your Behaviours, Strengths, Experience and Technical skills.

How to Apply

As part of the application process, you will be asked to provide the following:

• A name-blind CV including your job history, qualifications and previous experiences. Please limit your CV to up to your last 5 roles.
• A 750-word personal statement. Your personal statement should show how you meet the person specification and essential criteria.

Please complete a separate statement (Max 250 words) for the Desirable Criteria where applicable. This is not essential for the role but may be considered by the vacancy-holder where candidates have the same scores at sift or interview.

Further details around what this will entail are listed on the application form.

Artificial Intelligence can be a useful tool to support your application, however, all examples and statements provided must be truthful, factually accurate and taken directly from your own experience. Where plagiarism has been identified (presenting the ideas and experiences of others, or generated by artificial intelligence, as your own) applications may be withdrawn and internal candidates may be subject to disciplinary action. Please see our candidate guidance for more information on appropriate and inappropriate use.

Sift

At full sift your CV and your Personal Statement will be assessed, with the successful candidates being invited to interview.

We may also raise the score required at any stage of the process if we receive a high number of applications.

Interview

During the panel interview, you will be assessed onBehaviours, Strengths and Technical questions relating to Cyber Security.

This is an example of a strengths-based question.

"It is often said that the customer's needs should come first. To what extent do you agree or disagree with this statement?"

There is no expectation or requirement for you to prepare for the strengths-based questions in advance of the interview, though you may find it helpful to spend some time reflecting on what you enjoy doing and what you do well.

Interviews will take place via video link.

Sift and interview dates to be confirmed.

Eligibility

Please take extra care to tick the correct boxes in the eligibility sections of your application form. We understand mistakes sometimes happen but if you contact us later than two working days(Monday-Friday) before the vacancy closes, we will not be able to reopen your application for you. If you do make a mistake with your eligibility form, please contact us via: unitybusinessservicesrecruitmentresults@hmrc.gov.uk - Use the subject line to insert appropriate wording for example - 'Please re-open my application - [insert vacancy ref] & vacancy closing date [insert date]'.

To check that you are eligible to apply for this role, please review the eligibility information before submitting your application .

Reserve List

A reserve list may be held for up to 12 months from which further appointments may be made for the same or similar roles - if this applies to you, we'll let you know via your Civil Service Jobs account.

Criminal Record Check

Applications received from candidates with a criminal record are considered fairly in accordance with the DBS Code of Practice and the Recruitment of ex-offenders Policy.

Merit List

After interview, a single merit list will be created, and you will only be considered for posts in locations you have expressed a preference for. Appointments will be made in strict merit order in line with the set number of roles in each location.

Reasonable Adjustments

We want to make sure no one is put at a disadvantage during our recruitment process. To assist you with this, we will reduce or remove any barriers where possible and provide additional support where appropriate.

If you need a change to be made so that you can make your application, you should:

• Contact the UBS Recruitment team via unitybusinessservicesrecruitmentresults@hmrc.gov.uk as soon as possible before the closing date to discuss your needs.

Complete the "Assistance required" section in the "Additional requirements" page of your application form to tell us what changes or help you might need further on in the recruitment process. For instance, you may need wheelchair access at interview, or if you're deaf, a Language Service Professional.

Additional Security Information

Please note: in addition to the standard pre-employment checks for appointment into the Civil Service, all candidates must also obtain National Security Vetting at Security Check (SC) clearance level for this vacancy. You will normally need to meet the minimum UK residency period as determined by the level of vetting being undertaken, which for SC is 5 years UK residency prior to your vetting application. If you have any questions about this residency requirement, please speak to the vacancy holder for this post.

Important information for existing HMRC contractual homeworkers:

Please note that this role is unsuitable for contractual homeworkers due to the nature and/or requirements of the role.

Terms and Conditions

Customer facing roles in HMRC require the ability to converse at ease with members of the public and provide advice in accurate spoken English and/or Welsh where required. Where this is an essential requirement, this will be tested as part of the selection process.

HMRC has a presence in every region of the UK. For more information on where you might be working, review this information on our locations .

The Civil Service values honesty and integrity and expects all candidates to abide by these principles. The evidence you provide in your application must relate to your own experiences.

Any instances of plagiarism or other forms of cheating will be investigated and, if proven, the relevant application(s) will be withdrawn from the process.

Recording of interviews is prohibited unless explicit agreement is sought in line with the UK General Data Protection Regulations.

Questions relating to an individual application must be emailed as detailed later in this advert.

Applicants who are successful at interview will be, as part of pre-employment screening, subject to a check on the Internal Fraud Database (IFD). This check will provide information about employees who have been dismissed for fraud or dishonesty offences. This check also applies to employees who resign or otherwise leave before being dismissed for fraud or dishonesty had their employment continued. Any applicant's details held on the IFD will be refused employment.

A candidate is not eligible to apply for a role within the Civil Service if the application is made within a 5 year period following a dismissal for carrying out internal fraud against government.

New entrants will join on the minimum of the pay band.

Please note that, if you are applying for roles on a part-time basis, the salary agreed will be pro-rata, reflective of the working hours agreed within your contract.

If you experience accessibility problems with any attachments on this advert, please contact the email address in the 'Contact point for applicants' section.

For more Information for people applying for, or thinking of applying for, roles at HM Revenue and Customs, please see link: Working for HMRC: information for applicants - GOV.UK .

Feedback will only be provided if you attend an interview or assessment.

Security
Successful candidates must undergo a criminal record check.

Successful candidates must meet the security requirements before they can be appointed. The level of security needed is security check (opens in a new window) .

See our vetting charter (opens in a new window) .

People working with government assets must complete baseline personnel security standard (opens in new window) checks.

Nationality requirements
Open to UK nationals only.

Working for the Civil Service
The Civil Service Code (opens in a new window) sets out the standards of behaviour expected of civil servants.

We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles (opens in a new window) .

The Civil Service embraces diversity and promotes equal opportunities. As such, we run a Disability Confident Scheme (DCS) for candidates with disabilities who meet the minimum selection criteria.

The Civil Service also offers a Redeployment Interview Scheme to civil servants who are at risk of redundancy, and who meet the minimum requirements for the advertised vacancy.

Diversity and Inclusion
The Civil Service is committed to attract, retain and invest in talent wherever it is found. To learn more please see the Civil Service People Plan (opens in a new window) and the Civil Service Diversity and Inclusion Strategy (opens in a new window) .

Apply and further information

This vacancy is part of the Great Place to Work for Veterans (opens in a new window) initiative.

Once this job has closed, the job advert will no longer be available. You may want to save a copy for your records.

Contact point for applicants

Job contact :

• Name : Hardeep Hothi
• Email : hardeep.hothi@hmrc.gov.uk

Recruitment team

• Email : unitybusinessservicesrecruitmentresults@hmrc.gov.uk

Further information
Appointment to the Civil Service is governed by the Civil Service Commission's Recruitment Principles. You have the right to complain if you feel there has been a breach of the Recruitment Principles. In the first instance, you should raise the matter directly via ubsrecruitmentcomplaints@hmrc.gov.uk. Please note that we do not accept complaints or appeals regarding scoring of outcomes of campaigns, unless candidates can provide clear evidence that the campaign did not follow the Recruitment Principles. If you are not satisfied with the response, you may bring your complaint to the Commission. For further information on bringing a complaint to the Civil Service Commission please visit their website.