Reference No: 2050/35
Company: Financial Services
Reports to: CISO
No. Required: 1
Start Date: ASAP
The Information Security Officer/Project Manager supports the CISO to ensure the business is secured and compliant with relevant requirements by assessing security maturity against defined standards/guidelines, then defining and implementing the security remediation program.
In close collaboration with the Chief Information Security Officer, lead the remediation program definition, implementation and reporting to ensure risk are mitigated and security compliance met. The remediation program will cover the following thematic (list not exhaustive): Access governance, Infrastructure hardening, critical information identification and protection, IT & Digital assets management, Awareness and training, etc.
• Assess compliance level and define the related remediation projects plans:
o Assess compliance of the different entities (UK & Overseas) to the Group security requirements (+500 controls aggregated in several standards) by executing an efficient approach regarding the context: high numbers of controls to be assessed for multiples entities with limited resources and timeframe.
o Identify actions to be implemented to mitigate the information risk and ensure compliance.
o Structure actions into a comprehensive list of security projects and detail the related projects plan (resource, budget, planning, etc.).
o Same with regulatory requirements (scope to be defined).
• Execute the remediation projects (~5 to 7 projects): define and execute the project plan for each project. Examples of projects tasks:
o Formalize Security policies and procedures based on industry standards and define related control framework. Instantiate the controls.
o Run information discovery
o Drive a risk cartography exercise.
o Analyse compliance reports and perform technical assessments.
o Define and execute awareness program.
o Review and update a vendor risk assessment framework. Execute vendor assessments using this framework.
o Support and follow-up the remediation actions of 1st line of defence teams (Businesses, IT, etc.) to ensure the controls are implemented and efficient against identified security requirements.
• Report on the remediation program:
o Complete the mandatory trackers.
o Define and produce KPIs/KRIs/dashboards to on the remediation program execution to the CISO and the local governance.
o Set up and animate/contribute to related governance.
• Delivery of the remediation projects in the defined schedule with the achievements/deliverables defined.
• Remediation program and related key decisions agreed by relevant local Committees with adapted level of information on the program execution to measure progression against the target agreed, next steps and escalations required.
• Group reporting delivered according to the deadlines.
• Remediation program contributors successfully engaged and briefed.
Provides insightful input to policy, standards and technology at a global level.
• Delivery of the remediation program in the timeline agreed.
Will be required to plan/organise the contribution to the security remediation program of both internal and external parties.
Skills & Experience
• Should have extensive experience within information security activities. Experience in a consulting company is preferred.
• Having CISSP or an equivalent professional security qualification is a plus.
• Dynamism and pro-activity with a strong attention to detail and an ability to be flexible and adaptable to changes in a fast-paced environment.
• Mind set of ownership - quality and delivery to timescale (deadline focused) and budget.
• Team player – ability to work well with all levels, senior & middle management, internal and external team members in multiple locations.
• Demonstrable experience of having delivered large information security projects/programmes. Experience in International Security standards implementation is a plus (i.e. ISO27001, ISF).
• Strong project and programme management skills with emphasis on delivery, risk