Information Risk Specialist - City of London

IT/Information/Cyber Security
Ref: 151 Date Posted: Monday 13 Mar 2023
LinkedIn ShareShare
Company:           Financial Services
Location:            Hybrid - City of London
Reports to          Information Risk Manager
Salary:                 £80,000
Benefits:             Generous
No. Required:    1
Start Date:          ASAP
The Role
As the Information Security Risk Specialist, you shall support the Information Risk Manager which has responsibility for all Governance Risk and Compliance activities in the designing of appropriate policies and organisational controls. You will ensure that the control environment supports the mission of enterprise software vendor, operator of the Corda Network and Managed Services provider.
You'll be used to working in environments with mature security controls, but have the insight to bring a risk-based approach to a fast-moving company with a start-up culture. This is an opportunity to help "write the book" on building security assurance and good security practices for enterprise blockchain.
  • Support the Information Risk Manager in the delivery of security governance, risk and compliance activities globally. 
  • Drive the different types of security risk assessments across different business lines and manage risks via the risk register.
  • Ensure assurance activities are appropriately implemented across different business lines, and as required, you will be required to test the effectiveness of those controls.
  • Conduct security assessments and due diligence activities of critical 3rd party suppliers/vendors.  This shall include liaising with key stakeholders such as IT, Legal and Business Resources.
  • Support customer due diligence activities, contract reviews and customer security review activities as necessary.
  • Support the Information Risk Manager and the wider Security team in the development, operation and maintenance of the security control environment (ISMS) including information security policies, standards and guidelines.
  • Identify emerging security requirements from our clients and ensure that capabilities to meet those are baked-in to our products and services.
  • Have a firm understanding of implementing mature security controls/practices across the organisation and engaging with stakeholders across the business.
  • You'll have 3/5 years of experience in a direct information security role specialising in governance, risk and compliance activities.
  • We believe that we work better as a team, and hope you share that belief. You'll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
  • You'll need excellent communication skills, both verbal and written.  You should be confident in explaining security terms and principles to an audience who may not be familiar with the underlying concepts. 
  • You will assist in defining the ISMS and controls assurance environment creating the appropriate documentation/evidence to support external assessments.
  • Working knowledge of ISO 27000 or NIST Cyber Security Framework would be great, but experience with other recognised standards will be acceptable.
  • You should have worked in an organisation certified to ISO 27001 or gained SOC2 certification.  You will have been part of this journey and understand the controls needed to achieve different certifications.
  • A firm understanding of the security practices which should be adopted for different legal and regulatory requirements such as PCI-DSS, GDPR, or different regulatory bodies.
  • Have responsibility for conducting security assurance/assessment activities and able to demonstrate process improvements to enhance the maturity of security controls. 
  • You will have a solid appreciation of the variety of technical controls including endpoint security, identity and access management, network security controls (firewalls, VPN), intrusion detection and security event management/log analysis tools.
  • You won't be expected to be hands-on with these tools, but you'll certainly need to be aware of how they fit within the control environment which you will help to design and operate.
An MSc in Information Security or a CISSP, CISM, CISA.  Appropriate career experience is just as important though. Be prepared to tell us all about that experience.