PAHO
PAHO Consultant - Information Security Governance and Reporting Automation
PAHO, Barre, Massachusetts, us, 01005
OBJECTIVE OF THE OFFICE/DEPARTMENT
This is a requisition for employment at the Pan American Health Organization (PAHO)/Regional Office of the World Health Organization (WHO)
Contractual Agreement Non-Staff - International PAHO Consultant
Job Posting October 22, 2025
Closing Date October 28, 2025, 11:59 PM Eastern Time
Primary Location Off Site
Organization ITS Information Technology Services
Schedule Full time
PURPOSE OF CONSULTANCY This requisition is for a consultancy at the Pan American Health Organization (PAHO)/Regional Office of the World Health Organization (WHO).
Provide a short description of the objective of the office/department here.
Provide a description of the purpose of the consultancy here.
DESCRIPTION OF DUTIES: Information Security Consultant - Security Governance and Reporting Automation PAHO is searching for an independent consultant to work at the Department of Information Technology Services (ITS), who will be responsible for the implementation of the following deliverables and activities within PAHO’s Information Security Program:
1. Background The Pan American Health Organization (PAHO) is strengthening its Information Security Program to enhance the protection, integrity, and confidentiality of its digital assets, focusing on data protection, risk visibility, and automation of compliance across cloud and on-premises environments. To enable data‑driven decision‑making and maintain situational awareness of cybersecurity risks, PAHO requires integrated reporting and automation capabilities that consolidate information from multiple security platforms.
The Information Security Consultant - Security Governance and Reporting Automation will be responsible for developing, automating and maintaining governance and reporting tools that support oversight of vulnerabilities, incidents and data protection — transforming technical data into actionable intelligence that enhances organizational resilience and compliance.
2. Purpose of the Consultancy To provide technical and analytical support to the Information Security Program, with a focus on cybersecurity governance, data protection oversight, vulnerability and incident reporting, and automation of dashboards and compliance metrics.
The consultant will enable data‑driven governance and decision‑making by automating the collection, correlation, and presentation of metrics from PAHO’s security platforms, strengthening operational maturity across the cybersecurity program.
3. Duties and Responsibilities Under the supervision of the Information Security Advisor (CISO), the consultant will perform the following activities:
A. Data Security Governance and Emerging Technologies
Support the design and implementation of data security governance processes, including classification, lifecycle management, retention, and secure disposal.
Define and document data protection and access control requirements across cloud and collaboration platforms (Microsoft 365, SharePoint, Teams).
Use tools such as AvePoint, Microsoft Purview, and Defender for Cloud Apps (CASB) to monitor and report on data exposure, access controls, and compliance posture.
Apply Data Security Posture Management (DSPM) principles to continuously identify and monitor sensitive data, permissions, and movement across multi‑cloud and hybrid environments.
Support the CISO Team in establishing AI Governance practices, including secure data handling for AI models and monitoring of AI service integrations (e.g., Copilot, ChatGPT APIs).
Develop automated reports on data‑sharing risks, policy enforcement, and remediation aligned with ethical and regulatory requirements.
Ensure that data protection and AI governance controls remain aligned with PAHO policies, digital ethics standards, and applicable data protection frameworks.
B. Compliance, Risk Monitoring, and Reporting Automation
Implement automated dashboards and workflows to monitor compliance, risk, and security performance across PAHO’s cybersecurity domains.
Integrate data from main PAHO’ security platforms (Qualys, Microsoft Sentinel, Entra, Purview, Intune, AvePoint, others) to consolidate visibility into vulnerabilities, incidents, and data protection posture.
Maintain and update the ITS Risk Register by correlating vulnerability, incident, and compliance data in alignment with NIST CSF and CIS Controls.
Develop reporting pipelines and automation scripts (Power Automate, Python, REST APIs) to ensure consistent and timely delivery of performance metrics.
Automate compliance evidence generation for audits, governance and management reviews.
Maintain and support the development of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) related to vulnerability remediation, incident response, security awareness and data protection.
Extend automation to include AI and DSPM metrics, monitoring data exposure and AI usage indicators as part of governance reporting.
C. Threat and Vulnerability Management (TVM)
Develop and maintain automated dashboards and reports using data from Microsoft Defender, Qualys and related tools, to highlight vulnerability trends, remediation progress, and SLA adherence.
Correlate vulnerability findings with asset criticality, data sensitivity, and exposure to enable prioritized remediation.
Provide monthly vulnerability analytics summaries for the CISO.
Integrate vulnerability metrics with the Risk Register and Governance Dashboards to enable risk‑based decision‑making.
Automate evidence extraction for audits related to patch management and configuration baselines compliance.
D. Incident Management and Resiliency (IMR)
Collaborate with the Security Operations Center (SOC) to automate Microsoft Defender, Sentinel, other security products, and dashboards and incident reporting workflows.
Define and maintain incident response metrics (MTTD, MTTR, incident volume, alert efficiency).
Correlate incident data with vulnerabilities and misconfigurations to identify systemic weaknesses.
Produce automated incident reports that integrate detection, response and recovery metrics.
Support CISO oversight through executive summaries highlighting incident patterns and trends.
E. Collaboration and Awareness
Provide technical and analytical input to the Security Governance, Operations and Engineering teams to leverage automation in decision‑making.
Support awareness and training initiatives on secure data handling, AI risk awareness and governance metrics.
Maintain and update Information Security collaboration spaces (Teams and SharePoint) to ensure version control, document integrity, and knowledge sharing.
In addition to the above, to perform other related duties as assigned.
4. Required Qualifications Education:
Advanced university degree in Computer Science, Information Technology Systems, or other related disciplines from an accredited institution. A master’s degree in Cybersecurity, Information Systems or Risk Management will be an asset.
Experience:
At least seven years of relevant professional experience in cybersecurity governance, compliance and auditing, risk management, including exposure to emerging technologies such as AI.
Proven experience implementing security reporting and automation solutions using Microsoft Office365, Entra, Microsoft Security platforms, Qualys.
Familiarity with Data Security Posture Management (DSPM) tools and practices.
Working knowledge of NIST CSF 2.0, CIS Controls, ISO/IEC 27001, and data protection frameworks.
Technical Skills:
Expertise in data automation and API integration (Python/PowerShell, KQL, REST APIs).
Business Intelligence and visualization tools (Power BI, Tableau, etc).
Understanding of AI risk and data security controls for enterprise and generative AI environments.
Excellent analytical and communication skills for both executive and technical audiences.
Language: Very good knowledge of English and Spanish
Duration: 12 months full‑time, extension subject to performance and availability of funds.
Salary: Band B – Daily Rate $300
ADDITIONAL INFORMATION
This vacancy notice may be used to identify candidates for other similar consultancies at the same level.
Successful candidates will be placed on the roster and subsequently may be selected for consultancy assignments falling in this area of work or for similar requirements/tasks/deliverables. Inclusion in the Roster does not guarantee selection for a consultant contract. There is no commitment on either side.
Only candidates under serious consideration will be contacted.
All applicants are required to complete an on-line profile to be considered for this consultancy. For assessment of your application, please ensure that your profile in the PAHO Career page is updated; all experience records are entered with elaboration on tasks performed at the time. Kindly note that CV/PHFs inserted via LinkedIn are no accessible.
A written test may be used as a form of screening.
If your candidature is retained for interview, you will be required to provide, in advance, a scanned copy of the degree(s)/diploma(s)/certificate(s) required for this position. PAHO/WHO only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU)/United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link: http://www.whed.net/. PAHO will also use the databases of the Council for Higher Education Accreditation http://www.chea.org/search/default.asp and College Navigator, found on the website of the National Centre for Educational Statistics, https://nces.ed.gov/collegenavigator to support the validation process. Some professional certificates may not appear in the WHED and will require individual review.
Any appointment/extension of appointment is subject to PAHO/WHO Regulations, and e-Manual.
For information on PAHO please visit: http://www.paho.org
PAHO/WHO is committed to providing a respectful and supportive workplace for all personnel.
PAHO is an ethical organization that maintains high standards of integrity and accountability. People joining PAHO are required to maintain these standards both in their professional work and personal activities.
PAHO also promotes a work environment that is free from harassment, sexual harassment, discrimination, and other types of abusive behavior. PAHO conducts background checks and will not hire anyone who has a substantiated history of abusive conduct.
PAHO personnel interact frequently with people in the communities we serve. To protect these people, PAHO has zero tolerance for sexual exploitation and abuse. People who commit serious wrongdoings will be terminated and may also face criminal prosecution.
PAHO/WHO has a smoke‑free environment and does not recruit smokers or users of any form of tobacco.
Applications from women and from nationals of non‑and under‑represented Member States are particularly encouraged.
Consultants shall perform the work as independent contractors in a personal capacity, and not as a representative of any entity or authority. The execution of the work under a consultant contract does not create an employer/employee relationship between PAHO and the Consultant.
PAHO/WHO shall have no responsibility whatsoever for any taxes, duties, social security contributions or other contributions payable by the Consultant. The Consultant shall be solely responsible for withholding and paying any taxes, duties, social security contributions and any other contributions which are applicable to the Consultant in each location/jurisdiction in which the work hereunder is performed, and the Consultant shall not be entitled to any reimbursement thereof by PAHO/WHO.
#J-18808-Ljbffr
Contractual Agreement Non-Staff - International PAHO Consultant
Job Posting October 22, 2025
Closing Date October 28, 2025, 11:59 PM Eastern Time
Primary Location Off Site
Organization ITS Information Technology Services
Schedule Full time
PURPOSE OF CONSULTANCY This requisition is for a consultancy at the Pan American Health Organization (PAHO)/Regional Office of the World Health Organization (WHO).
Provide a short description of the objective of the office/department here.
Provide a description of the purpose of the consultancy here.
DESCRIPTION OF DUTIES: Information Security Consultant - Security Governance and Reporting Automation PAHO is searching for an independent consultant to work at the Department of Information Technology Services (ITS), who will be responsible for the implementation of the following deliverables and activities within PAHO’s Information Security Program:
1. Background The Pan American Health Organization (PAHO) is strengthening its Information Security Program to enhance the protection, integrity, and confidentiality of its digital assets, focusing on data protection, risk visibility, and automation of compliance across cloud and on-premises environments. To enable data‑driven decision‑making and maintain situational awareness of cybersecurity risks, PAHO requires integrated reporting and automation capabilities that consolidate information from multiple security platforms.
The Information Security Consultant - Security Governance and Reporting Automation will be responsible for developing, automating and maintaining governance and reporting tools that support oversight of vulnerabilities, incidents and data protection — transforming technical data into actionable intelligence that enhances organizational resilience and compliance.
2. Purpose of the Consultancy To provide technical and analytical support to the Information Security Program, with a focus on cybersecurity governance, data protection oversight, vulnerability and incident reporting, and automation of dashboards and compliance metrics.
The consultant will enable data‑driven governance and decision‑making by automating the collection, correlation, and presentation of metrics from PAHO’s security platforms, strengthening operational maturity across the cybersecurity program.
3. Duties and Responsibilities Under the supervision of the Information Security Advisor (CISO), the consultant will perform the following activities:
A. Data Security Governance and Emerging Technologies
Support the design and implementation of data security governance processes, including classification, lifecycle management, retention, and secure disposal.
Define and document data protection and access control requirements across cloud and collaboration platforms (Microsoft 365, SharePoint, Teams).
Use tools such as AvePoint, Microsoft Purview, and Defender for Cloud Apps (CASB) to monitor and report on data exposure, access controls, and compliance posture.
Apply Data Security Posture Management (DSPM) principles to continuously identify and monitor sensitive data, permissions, and movement across multi‑cloud and hybrid environments.
Support the CISO Team in establishing AI Governance practices, including secure data handling for AI models and monitoring of AI service integrations (e.g., Copilot, ChatGPT APIs).
Develop automated reports on data‑sharing risks, policy enforcement, and remediation aligned with ethical and regulatory requirements.
Ensure that data protection and AI governance controls remain aligned with PAHO policies, digital ethics standards, and applicable data protection frameworks.
B. Compliance, Risk Monitoring, and Reporting Automation
Implement automated dashboards and workflows to monitor compliance, risk, and security performance across PAHO’s cybersecurity domains.
Integrate data from main PAHO’ security platforms (Qualys, Microsoft Sentinel, Entra, Purview, Intune, AvePoint, others) to consolidate visibility into vulnerabilities, incidents, and data protection posture.
Maintain and update the ITS Risk Register by correlating vulnerability, incident, and compliance data in alignment with NIST CSF and CIS Controls.
Develop reporting pipelines and automation scripts (Power Automate, Python, REST APIs) to ensure consistent and timely delivery of performance metrics.
Automate compliance evidence generation for audits, governance and management reviews.
Maintain and support the development of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) related to vulnerability remediation, incident response, security awareness and data protection.
Extend automation to include AI and DSPM metrics, monitoring data exposure and AI usage indicators as part of governance reporting.
C. Threat and Vulnerability Management (TVM)
Develop and maintain automated dashboards and reports using data from Microsoft Defender, Qualys and related tools, to highlight vulnerability trends, remediation progress, and SLA adherence.
Correlate vulnerability findings with asset criticality, data sensitivity, and exposure to enable prioritized remediation.
Provide monthly vulnerability analytics summaries for the CISO.
Integrate vulnerability metrics with the Risk Register and Governance Dashboards to enable risk‑based decision‑making.
Automate evidence extraction for audits related to patch management and configuration baselines compliance.
D. Incident Management and Resiliency (IMR)
Collaborate with the Security Operations Center (SOC) to automate Microsoft Defender, Sentinel, other security products, and dashboards and incident reporting workflows.
Define and maintain incident response metrics (MTTD, MTTR, incident volume, alert efficiency).
Correlate incident data with vulnerabilities and misconfigurations to identify systemic weaknesses.
Produce automated incident reports that integrate detection, response and recovery metrics.
Support CISO oversight through executive summaries highlighting incident patterns and trends.
E. Collaboration and Awareness
Provide technical and analytical input to the Security Governance, Operations and Engineering teams to leverage automation in decision‑making.
Support awareness and training initiatives on secure data handling, AI risk awareness and governance metrics.
Maintain and update Information Security collaboration spaces (Teams and SharePoint) to ensure version control, document integrity, and knowledge sharing.
In addition to the above, to perform other related duties as assigned.
4. Required Qualifications Education:
Advanced university degree in Computer Science, Information Technology Systems, or other related disciplines from an accredited institution. A master’s degree in Cybersecurity, Information Systems or Risk Management will be an asset.
Experience:
At least seven years of relevant professional experience in cybersecurity governance, compliance and auditing, risk management, including exposure to emerging technologies such as AI.
Proven experience implementing security reporting and automation solutions using Microsoft Office365, Entra, Microsoft Security platforms, Qualys.
Familiarity with Data Security Posture Management (DSPM) tools and practices.
Working knowledge of NIST CSF 2.0, CIS Controls, ISO/IEC 27001, and data protection frameworks.
Technical Skills:
Expertise in data automation and API integration (Python/PowerShell, KQL, REST APIs).
Business Intelligence and visualization tools (Power BI, Tableau, etc).
Understanding of AI risk and data security controls for enterprise and generative AI environments.
Excellent analytical and communication skills for both executive and technical audiences.
Language: Very good knowledge of English and Spanish
Duration: 12 months full‑time, extension subject to performance and availability of funds.
Salary: Band B – Daily Rate $300
ADDITIONAL INFORMATION
This vacancy notice may be used to identify candidates for other similar consultancies at the same level.
Successful candidates will be placed on the roster and subsequently may be selected for consultancy assignments falling in this area of work or for similar requirements/tasks/deliverables. Inclusion in the Roster does not guarantee selection for a consultant contract. There is no commitment on either side.
Only candidates under serious consideration will be contacted.
All applicants are required to complete an on-line profile to be considered for this consultancy. For assessment of your application, please ensure that your profile in the PAHO Career page is updated; all experience records are entered with elaboration on tasks performed at the time. Kindly note that CV/PHFs inserted via LinkedIn are no accessible.
A written test may be used as a form of screening.
If your candidature is retained for interview, you will be required to provide, in advance, a scanned copy of the degree(s)/diploma(s)/certificate(s) required for this position. PAHO/WHO only considers higher educational qualifications obtained from an institution accredited/recognized in the World Higher Education Database (WHED), a list updated by the International Association of Universities (IAU)/United Nations Educational, Scientific and Cultural Organization (UNESCO). The list can be accessed through the link: http://www.whed.net/. PAHO will also use the databases of the Council for Higher Education Accreditation http://www.chea.org/search/default.asp and College Navigator, found on the website of the National Centre for Educational Statistics, https://nces.ed.gov/collegenavigator to support the validation process. Some professional certificates may not appear in the WHED and will require individual review.
Any appointment/extension of appointment is subject to PAHO/WHO Regulations, and e-Manual.
For information on PAHO please visit: http://www.paho.org
PAHO/WHO is committed to providing a respectful and supportive workplace for all personnel.
PAHO is an ethical organization that maintains high standards of integrity and accountability. People joining PAHO are required to maintain these standards both in their professional work and personal activities.
PAHO also promotes a work environment that is free from harassment, sexual harassment, discrimination, and other types of abusive behavior. PAHO conducts background checks and will not hire anyone who has a substantiated history of abusive conduct.
PAHO personnel interact frequently with people in the communities we serve. To protect these people, PAHO has zero tolerance for sexual exploitation and abuse. People who commit serious wrongdoings will be terminated and may also face criminal prosecution.
PAHO/WHO has a smoke‑free environment and does not recruit smokers or users of any form of tobacco.
Applications from women and from nationals of non‑and under‑represented Member States are particularly encouraged.
Consultants shall perform the work as independent contractors in a personal capacity, and not as a representative of any entity or authority. The execution of the work under a consultant contract does not create an employer/employee relationship between PAHO and the Consultant.
PAHO/WHO shall have no responsibility whatsoever for any taxes, duties, social security contributions or other contributions payable by the Consultant. The Consultant shall be solely responsible for withholding and paying any taxes, duties, social security contributions and any other contributions which are applicable to the Consultant in each location/jurisdiction in which the work hereunder is performed, and the Consultant shall not be entitled to any reimbursement thereof by PAHO/WHO.
#J-18808-Ljbffr