Job Summary

The purpose of the job is to implement and maintain an enterprise-wide Information Security Management Program to safeguard organizational information assets. This includes identifying, evaluating, and reporting on information security risks to ensure compliance with regulatory requirements and alignment with the organization’s overall risk management strategy.

Key Responsibilities

• Developing and maintaining relationships with key stakeholders to further embed the partnership that exists between IT Security, IT and the business.
• Research and maintain knowledge of the IT threat landscape, security trends, regulatory requirements, new technologies and best practices in order to provide sensible and pragmatic security advice to stakeholders.
• Facilitate the adoption of IT Security solutions e.g. privilege user management or access management processes and services e.g. IT Security engineering and penetration tests across the application and infrastructure landscape.
• Provide adequate IT Security input into all features and other technology solutions; this includes the requirements for the evaluation, selection, installation, configuration and maintenance of hardware, applications and software.
• Develop an effective line of business IT Security strategy that supports and enables business strategy.
• Advise IT business partners on regulatory and/or legal requirements as it relates to securing of data as well as assist with the implementation of the controls to support these requirements.
• Conduct reviews of applications, systems, underlying infrastructure and related processes as per the schedule.
• Establish and maintain risk profiles for business units by facilitating the implementation and ongoing management of general control reviews.
• Collaborate threat intelligence, cybersecurity, security engineering and other risk functions to develop and maintain a holistic security strategy and remediation plans.
• Collaborate with feature teams, product owners, architecture, IT, business, vendors and other stakeholders to investigate risk remediation controls.
• Assist in documenting and tracking security findings into a formal risk register. Provide the necessary information to support any deviation to IT Security policies and standards.
• Facilitate the use of secure architectural patterns and work with the security engineers to translate these patterns into line of business secure builds.
• Embed the use of self-service and automated security testing into the DevOps/Software Development Lifecycle.
• Participating in the development of new and the annual review of existing IT Security Policies, Standards and Guidelines by providing input to enhance the quality and completeness of these documents.
• Communicate the requirements for compliance to the IT Security Policies, Standards and Guidelines to the relevant parties within IT.
• Identify areas of non-compliance to IT Security Policies and Standards within IT.

Qualifications

• Bachelor’s Degree in Information Technology, Computer Science and any relevant field.
• Certification and/or knowledge in the following areas would be preferred:
  • Certified Information Systems Security Professional (CISSP)
  • Certified Ethical Hacker (CEH)
  • Certified Information Security Manager (CISM)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Information Systems Auditor (CISA).

Experience

At least 4 years’ experience in an Information Security or Risk and Compliance role within a large highly digitized organization running mission-critical systems. Experience in the BFSI (Banking, Financial Services and Insurance) sector will be an added advantage.

Competencies

• The ability to assess and mitigate the risks associated with the storage and retrieval of electronic information.
• Ability to examine essential elements of risk such as assets, threats, vulnerabilities, safeguards, consequences and the likelihood of the threats materialising. The ability to define and analyse risk identification information in a quantitative and/or qualitative way.
• The ability to manage, and provide expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems.
• The ability to independently conduct third-party assessment of the conformity of any activity, process, deliverable, product or service with the criteria of specified standards, best practice or other documented requirements with regards to network security tools, firewalls and Internet security.
• Business Continuity planning.

go to method of application »