We are hiring an Information Security Officer with at least 8+ years experience.
Our primary hosting platform is Azure, and we leverage various analytics, storage and orchestration tools on the Azure environment for use in our product.
Regulations and Security Standards Utilised:
- SOC 2 TYPE 2
You would ideally:
As a member of our team, the primary focus of your role is to be responsible for identifying and assessing the Information Security requirements of the business. The ISO is responsible for the establishment and maintenance of an Information Security Management System (ISMS) and ensure that the appropriate Information Security controls are implemented, maintained, and aligned with the Information Security Management and Cyber Resilience policies. You will also be responsible for Security Awareness, Risk Management and translating risks and the effect thereof to ensure informed risk assessment.
Other responsibilities include:
Participation in Information Security bodies and initiatives, logical access management, incident response, vulnerability management, IT audit coordination, ensuring new systems adhere to security policy and providing management assurance regarding the Cyber and Information Security posture of the business.
You’ll work closely with stakeholders across the business, assurance providers and third parties. You’ll also assist with providing information security services to the business itself (reporting lines to Head of Engineering, technical and business leads, end-users as their client).
You should ideally have:
- Bachelor’s degree in Information Technology, Commerce, Science, or Social Science – Beneficial.
- At least one of the following must be current: CISM, CISSP or ISO 27001 Lead Implementer. And experience in SOC 2 TYPE 2 beneficial.
- You must have a minimum 5 years’ experience in Policy writing and reviews
- You must have a minimum 5 years’ experience in Agile/relevant solution development methodologies
- You must have a minimum 5 years’ experience in Security practices and standards in development like the security development life cycle (e.g. OWASP)
- You must have a minimum 5 years analysis and control design experience
- Technologies: Knowledge of ISO27000, COBIT, ITIL, CIS T20 and ISF best practices.
- Other: Knowledge of Information Risk Methodologies (ideally IRAM2), threat modelling and Operational Risk management methodologies
- Understanding of the risk management and governance structures within the Cluster
- Knowledge of the key business processes, key stakeholders and have their contact details readily available
- Good understanding of the business and technology environment of the business and the potential risks
- The ISO must have an action plan to implement initiatives in the business
- The ISO will report to the Head of Engineering on new initiatives, plans and progress which will be discussed at the relevant committees
- Review and improve existing IT and Information Risk assessment, reporting and management practices
- Up to date and complete Information Security Risk register
- Documented Security risk management action plan. This must include relative priorities of agreed actions; Ownership of the actions; Agree timelines. Priorities will be aligned to business priorities
- Up to date and complete cloud register (if these services are used in the business)
- Review and respond to Risk Acceptance requests within the agreed time
- Document processes and artefacts that prove that the relevant Governance and Assurance processes were implemented as designed
- Clear and timely communication to management and users regarding planned awareness campaigns
- Risk assessment that identifies a requirement for additional awareness or targeted education, training and awareness interventions
- Documented Logical Access review schedule for Business Applications, review results, facilitate resolution, progress report on resolution of issues that were identified during the reviews
- Review and respond to audit findings related to application logical access and other Information Security findings. Ensure that the ratings are accurate
- Provide management comment to the audit observations/ findings, that is specific as far as actions and due dates are concerned
- Track and follow up on audit finding commitments
- Report all cyber security incidents, or information security incidents (including privacy related incidents) where the compromise was through technology to the relevant committees
- Be contactable or provide alternative contact details for Cybersecurity incidents that are identified
- Ensure appropriate actions are taken when policy breaches are identified
- Assist by facilitating engagement and communication with key stakeholders in the business during a major incident
- Provide context on system and process criticality
- Produce Quarterly ISO reports
- Provide input into requirements documents – ensure security roles; auditing; data protection (in transit and rest); monitoring etc. are defined in line with approved Information Security policies and standards
- Ensure that Security ‘gates’ are a formal part of the SDLC/Agile/relevant solution development methodology
- Interventions and role-players must be clearly specified
- Active participation in sanctioned industry bodies (e.g. ISF Live, ISACA)
- Timeous escalation of new, high or escalating risks.
- Engage with application owners and operations team to ensure that system vulnerabilities that were identified during Penetration tests, Red Team exercises or Vulnerability scans are addressed. Ensure that the CTO is are aware of risk and actions required
- Facilitate workshops and risk documentation during Control Self Assessments, or Crown Jewel Risk Assessment processes
Your skills and character traits:
- Understanding of the technical and application environment of the business
- Risk assessment skills and a good understanding of the business and technology environment of the business and the potential risks
- Project management and planning skills
- Ability to translate technical concepts into business language
- Ability to assess, propose and evaluate or facilitate security control adequacy and effectiveness
- Ability to challenge and respond to the audit findings if necessary
- Strong written and verbal communication skills
- Ability to pay attention to detail is critical
- Process discipline and High level of accuracy
- Effective facilitation skills – to agree actions, timelines, and relative priority to other business priorities
- Ability to influence key stakeholders based on sound analysis and understanding of the root causes on problems and issues
- Conflict handling and negotiation skills
- Integrity and trust
- Action orientation and self-starter
- Learning orientation
- Ability to work under pressure
We love people with a creative approach to problem-solving. If you want to be part of and build an open learning-oriented culture, then reach out. Let’s compare notes.
Contact: Rudolph ([email protected])