IT Systems Security Engineer

JOB DESCRIPTION
JOB TITLE: IT Systems Security Engineer (Level 3)
DEPARTMENT: Data and Technology
REPORTS TO: Head of Information Security
DIRECT REPORTS: None
LOCATION: UK Biobank’s facilities in Greater Manchester (Initially based in Stockport 
with a move to Manchester Science Park date in 2026/27). 
PURPOSE OF THE ROLE:
Reporting to the Head of Information Security, this is a specialist role within the Data & Technology 
Team.
Working closely with internal and external stakeholders, the role holder will use their knowledge and 
experience to identify information security risks and implement practical measures to protect the 
organisation’s data, services, and physical assets.
The role holder will also be involved in the Data & Technology transformation programme, supporting 
the introduction of new technologies and services that deliver proactive threat prevention whilst 
ensuring staff and other authorised users are able to access services easily, securely, and without 
unnecessary barriers.
PRINCIPAL DUTIES AND RESPONSIBILITIES:
1. Provide expert advice and assistance to enhance the security of UK Biobank data, services, 
and physical assets
2. Work with the Head of Information Security to develop a long-term strategy to address 
vulnerabilities and protect sensitive data from loss, compromise, and misuse
3. Work with the IT Manager to protect information assets in accordance with data 
classification
4. Assist with the re-design of the organisation’s security architecture
5. Monitor the vulnerability exposure of all end point operating systems, applications, and 
services
6. Oversee the deployment of security patches, firmware, drivers, and general updates
7. Undertake information security risk assessments, including for end point devices that are in 
exception and cannot be updated due to concerns regarding business continuity
8. Ensure that risks are recorded accurately and that risk owners are aware of their exposure
9. Where appropriate, manage identified risks to mitigation
10. Work across Data & Technology to implement controls necessary to maintain a robust 
security posture
11. Work with Infrastructure and Network specialists to employ technologies such as network 
segmentation, software defined networking, and Security Service Edge (SSE) solutions
12. Contribute to the continuous development of security processes, and overall IT capability in 
the management of security 
13. Ensure security and technology controls are documented and are operating in compliance 
with both internal and external requirements
14. Review and manage SIEM alerts from our managed SOC, escalating incidents when needed.
15. Produce regular reports on various information security metrics
16. Respond to, investigate, and aid in the resolution of information and cyber security incidents
17. Participate in the development and testing of the security incident response plan
18. Engage with partners, suppliers, and other third parties to evaluate risk, examine contracts, 
and identify data privacy issues
19. Assist with the completion of regulatory audits
20. Follow defined IT service management practices to ensure agreed service levels are 
maintained
21. Analyse proposed changes from an IT security standpoint to ensure risks are not introduced
22. Assist with the evaluation and testing of new technologies and services
23. Perform all duties in accordance with UK Biobank standards and regulations
24. Support IT projects as directed by the Head of Information Security or IT Manager
SECONDARY DUTIES AND RESPONSIBILITIES:
25. Participate in general security management activities, including the installation of patches 
and updates, and the maintenance of antivirus/EDR software
PERSON SPECIFICATION
Essential Experience and Knowledge:
1. At least 5 years operational experience working in a security analyst, engineer, or similar role 
within a complex, multi-site organisation
2. CompTIA Security+, SSCP, or equivalent qualification
3. Knowledge of the security models, standards, practices, benchmarks, and controls 
advocated by bodies such as ISO, NIST, CIS, OWASP, CAF and NCSC 
4. Experience of risk management and third-party assurance
5. Experience of technical and information security compliance reviews and audits, with a good 
grounding in well-known standards and frameworks such as ISO27001/2, ISO27018, PCIDSS, and NIST
6. A clear understanding of challenges associated with data privacy and associated regulatory 
compliance, particularly the DPA, GDPR, and HIPPA
7. Strong knowledge and understanding of the cyber threat landscape
8. Knowledge and experience of the approaches and technologies used to secure operating 
systems (Windows, Mac, and Linux), databases, networks, cloud platforms, applications, and 
software code
9. Experience working with vulnerability scanning and threat detections tools, including those 
used on cloud platforms (experience working with Microsoft Azure would be advantageous)
10. Experience working with security technologies such as antivirus/EDR software (ideally 
CrowdStrike), device encryption, and SIEM solutions (ideally MS Sentinel)
11. Knowledge of networking and Zero Trust Network Architectures
12. Experience or knowledge of delivering information security risk assessments
13. Experience of continuity planning, incident management, and incident response
14. Experience of writing security or design documentation, including policies, standards, 
benchmarks, or secure designs
15. Excellent verbal communication skills with the ability to engage effectively with technical 
and non-technical stakeholders at all levels
16. Excellent written communication skills with the ability to produce clear and concise 
documentation
17. Strong people skills and ability to work well within a team
18. An ability to quickly determine the nature of new threats and deliver appropriate responses
19. Attentive to detail with excellent problem-solving and information gathering skills
Desirable Experience and Knowledge:
20. CISM, CISSP, or CCSP qualification
21. Experience of firewall administration, ideally Fortinet
22. Experience of working with identity management, data classification, and access control 
systems
23. Knowledge of cryptography and secure communication protocols