Job Description

The Information Security Officer is responsible for the management of our client’s information security governance according to the Information Security Management System (ISMS) framework. The Information Security Officer is expected to manage and monitor security measures for the protection of computer networks and information. This will include the definition of the day-to-day information security authorisations on key controls; the monitoring, audit, and reporting on information security controls; the creation and maintenance of information security documentation; and to participate in information security audits.

You will have experience of managing external IT vendors (ideally within the finance sector) and have knowledge of relevant Technology deployed within the company to cover databases, network infrastructure, desktop solutions (ideally knowledgeable on Office 365 or Microsoft Exchange infrastructures), and cloud infrastructure (understanding key concepts relating to PaaS and SaaS).

The role requires a good overall understanding of the business and the applicable legal and regulatory obligations (in particular data protection requirements) and deep experience of IT systems, networks,and IT security protocols, together with a rounded knowledge of operational processes and internal control methodologies relating to IT risk and cyber risks more generally.

The role holder is expected to deputise for the Information Security Officers in the security team when required, and to attend regular departmental meetings and other meetings relevant to the role.

Key Responsibilities include:

• Information Security technical leadership
• Governance & standard development and monitoring
• Security Incident Management
• Cyber Risk management
• Driving Information Security awareness

Main tasks and responsibilities

• Governance / Standards
• Maintain and develop information security documentation to agreed standards
• Facilitate of external information security audits, third-party surveys, management reviews and internal information security audits
• Define and manage the monitoring of key measures of ISMS performance
• Drive NIST CSF within the Group

Security Incident Management

• Ownership and management of the Information Security Incident Management Process. Manage incidents and their follow-up actions, agreeing the required actions and ensuring that all required actions are carried out as required
• Manage the documentation of policies, procedures, security guidelines and runbooks to assist in the timely resolution of Security Incidents
• Assist with development of relevant BCP plans for IT and business from a security perspective

Cyber Risk

• Oversight, management, and reporting on all risks pertaining to information security, including all forms of cyber risk and all risks relating to the protection of personal data throughout the business in all locations
• Developing and monitoring Key Risk Indicators (KRI) and Key Performance Indicators (KPI), relating to the information security controls of the business
• Assist in the assessment of risk to the security of information, assets, and personnel
• Assist in management of cyber risk including risk reviews and mitigation planning

Information Security Technical leadership

• Drive and coordinate the management of security through the sharing of ideas between key security players, the monitoring of threats and subsequent identification for opportunities for improvement, and the on-going monitoring of security activity (e.g., pen testing actions) to meet targets; and drive and manage the development of information security to ensure approaches, techniques and tools continue to meet needs
• Ensure that the team become an active part of projects to ensure that all projects take information security into account; and to carry out – or oversee – information security risk assessments and ensure that the results are acted upon
• Providing training, coaching and internal consultancy to the business at all levels in relation to the Information Security Management System, the NIST framework and a wide variety of IT controls and information security controls, and also in respect of new and evolving IT standards, cyber risks, and information security issues
• Authorise the release of system changes into production environments according to agreed parameters and processes.
• Provide information security guidance to IT team as part of SDLC
• Perform regular internal and external security audits and testing including penetration testing 

Information Security Awareness

• Assist in the development, and delivery, of training, education, and initiatives to promote security awareness throughout the business

Cyber Risk Management

• Preparation, management, and reporting of the Information Security Risk Assessment in conjunction with the overall Business Operational Risk Assessment
• Reporting on Key Risk Indicators and Key Performance Indicators
• Provide IT and information security control risk input into projects from inception

Customer Management

• Commits to exceeding expectations and needs to internal/external customers, possesses “customer first” mind set
• Ensures that work is accurate and well presented, that customer care is given priority above all else and that in both areas effort is made to exceed the minimum standard required
• Shows concern for detail no matter how small.
• Takes a pride in doing a job well

Key Performance Indicators

• Documentation that meets standards and drives processes
• Audits progressed smoothly and with least disruption to the business as possible
• All agreed security KPIs (Including security controls) monitored and reported as required
• Ensure that the business process documentation created as part of the ISMS creation is maintained as and when processes change
• Security Incidents managed and closed out as required
• Escalation of incidents within agreed timeframes
• Adequate and robust testing of BCP plan
• Ensure all new implementations are included in BCP plan/solution
• Risk assessments carried out to standard, to agreed schedule, and as required
• Ensure complete and accurate risk register in place and monitored
• Security sharing of ideas actively promoted and audit actions (inc. pen tests) managed and followed-up in a timely fashion
• Applicable threats identified and actioned within agreed timescales
• Ongoing measurable improvements to approaches taken to ensure information security is maintained long term
• Guidance in security risk assessments provided and carried out as required
• Corrective changes documented and agreed based on risk assessments and carried out to plan
• Change releases checked and authorised as required and in a timely manner.
• Project Security risk assessments carried out as required
• Broad and effective staff security awareness delivered through various media and judged effective
• Contributing to the creation of a culture of risk awareness and the highest standards of corporate governance.
• Preparation, management, and reporting of the Information Security Risk Assessment in conjunction with the overall Business Operational Risk Assessment
• Assess operational risks associated to day-to-day activities and implement risk mitigation controls as necessary
• Ensure operational risk events are reported on a timely basis and risk event actions are completed within agreed timelines.
• Maintain effective relations with all key stakeholders across company
• Quality and timeliness of communication updates to all relevant parties
• Ensure appropriate service is delivered at all times, across all business lines and that feedback is sought from key stakeholders to fully assess the service quality
• Is a role model in demonstrating the behaviours and culture across the organization
• Represents company strategy and commercial decisions in a proactive and positive manner
• Leads by example, to motivate and assist with managing change across the organization

Knowledge, Experience or qualifications

• Relevant third level degree qualification in IT or equivalent industry qualifications (CISSP, MCP) At Least 5 years’ experience in Information Security, and experience in people and IT management
• Experience in security tools and solutions and reporting Project management 
• Management experience that encompasses information systems or information security experience
• Relevant certification is preferred: (CISSP, CISM, CRISC, CCRO) along with following experience

1. Internal audit knowledge
2. Risk analysis – systems/projects/changes
3. Security technical knowledge / skills
4. Information Systems such as Active
5. Directory, Firewalls, Network,
6. Storage, QRadar/SIEM
7. IT hardware, software, process

Skills

• Process mapping and data analysis skills
• Analytical skills – Interprets quantitative and qualitative information to achieve objective and produces effective solutions to problems.
• Ability to work in tight deadlines and delivering solutions within defined time periods
• Experience working in a complex operational environment
• Effective verbal and written communication skills and strong interpersonal skills, good at reporting

Behaviours

• Being cooperative, flexible, adaptable, and persistent.
• Diligence – Being careful about detail and through in completing work
• Integrity – Being honest and ethical
• Independence – developing one’s own ways of doing things, guiding oneself with little or no supervision, depending on oneself to get things done.
• Must be willing to travel occasionally between offices in all their  territories where required (infrequent)