Description:
Skillsets:
· Information Security Management System (ISO 27001)
· NIST Frameworks
· Risk Management
· Security Controls assurance
· Privacy Assessment
· Business Continuity Management
· IT Disaster Recovery / IT Service Continuity
1. Controls Assurance:
· Establish and / or align with client’s controls framework in accordance with industry standards such as ISO 27001, NIST, essential 8, etc.
· Establish and / or align with client’s security policies, standards, guidelines, etc. to support the implementation of the applicable security controls
· Work with the technical teams to ensure the controls identified are implemented for the systems / service lines in scope
· Ensure Enterprise Risk Management (ERM) controls are implemented across the service lines in scope
· Facilitate any security audits and ensure minimum to zero findings for the controls related to the scope of work
· Understand contractual compliance requirements and facilitate stakeholders in understanding and driving for compliance
2. Risks and Issues Management:
· Work with stakeholders and conduct risk assessments to identify risks, issues and derive treatment plans to mitigate them
· Participate in the governance forums run by the client’s security controls assurance team for discussing the issues and risks pertaining to the scope of service and applications
· Govern the risk and issue treatments until the residual risk is brought to an acceptable level
3. Resilience:
· Establish, implement and manage the Business Continuity Plan (BCP) for the services in scope for the customer account
· Liaise with team to mobilise resources during any business continuity events, conduct tests such as walk-through, table-top, call-tree and simulation
· Liaise with the customer’s resilience team and the service Leads / SMEs and govern the IT Disaster Recovery (DR) / IT Service Continuity (ITSC) requirements including the tests that need to be performed across all the systems in scope
4. Governance:
· Conduct regular account level governance meetings with the leadership and discuss the status of risks, issues, compliance, BCP, DR / ITSC status.
· Ensure regular reports as agreed with the leadership and client are shared as agreed e.g. weekly reports for vulnerability remediation progress, monthly report on identity governance, monthly SLAs, weekly KPIs, etc.
4.1 Vulnerability Management:
· Lead the vulnerability management team who are dedicated to govern the remediation progress for all platforms and application across the entire client’s IT ecosystem.
· Establish, implement and run the vulnerability remediation governance process
· Work closely with client stakeholders to ensure the vulnerability remediation is effective and are meeting various metrics in accordance with the requirements such as Essential 8, client, standards, etc.
· Establish, implement and run the threat-intel based vulnerability remediation process
· Work closely with the client’s CSOC / threat intel team to identify any critical or zero-day vulnerabilities or threats that need urgent remediation. Further work with the application teams to remediate them
· Ensure regular reporting on the vulnerability status are submitted as per the timeline agreed with the client i.e. weekly report to all leadership and all support groups, monthly SLA, KPIs, Monthly Performance Reports (MPRs) for CIO score card, etc.
4.2 Identity Governance:
· Lead the Identity governance team who are dedicated to govern the user access reviews and certification process for all applications across the entire client’s IT ecosystem.
· Establish, implement and run various identity governance processes such as Standard and privileged access reviews, third-party access reviews, access profile reviews, role composition reviews, etc.
· CRITICAL: Work closely with the identity governance team to ensure all the pre-checks are completed and the campaigns are launched and are run end-to-end as per schedule. Also, ensure any issues hampering the campaigns are resolved so that people leaders are able to complete their reviews on time
· Work closely with the Application owners, IdentityNow team and the Identity Governance Lead to ensure all the identities, accounts, profiles, etc. are recorded accurately and are certifiable
· Ensure regular reporting on the identity governance status are submitted as per the timeline agreed with the client i.e. weekly report on campaign status, monthly summary report, monthly SLA data etc.
5. Other ITRO responsibilities:
· Develop and facilitate effective security training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers
· Aligning with the Strategy and Risk (S&R) practice and support practice led initiatives
6 . Certifications (preferred):
· ISO 27001 Lead Auditor
· Certified Information Security Manager (CISM)
· Certified Information Systems Auditor (CISA)