Background and Purpose:
Security control oversight function is responsible to ensure the continuous adequacy and relevancy of information security policy and privacy within the Group, including establishing the framework to ensure the underlying standards and procedures required to support the implementation and fulfilment of the Policy requirements are clearly defined, communicated and executed consistently.
Other duties include a) management of audit engagement during fieldwork, audit RFIs fulfilment, issues prevention, validation and remediation. b) management information and reporting on control program updates and risk reporting in the various Group governance or risk forums. c) establishment, execution and continuous improvement on Third party security review framework and process.
- Develop, manage and execute information security (including cyber) assurance reviews
- Produce Business Unit and Group level reports on the status of implemented information security (including cyber) controls and Policy, including coordinating the annual Turnbull Policy attestation exercise.
- Oversee the submission and fulfilment of Audit RFIs that are addressed at the group information security and privacy team.
- Coordinate audit readiness exercise when required to ascertain the control postures prior to major audit.
- Use the output and knowledge gained from assurance reviews to shape the development of Group information security policy, technical standards and procedures
- Establish process and tool to track exception to Standards and Policy.
- Periodic review, continuous improvement, and compliance management of Policy and standards.
- Coordinate the structure and management of Standards across all security disciplines.
- Third party security management and oversight (assessment process, template and performing assessment on regionally engaged 3rd parties)
- Continuous improvement and development of the tool and process used to manage audit RFIs submission and fulfilment.
- Manage presentations deck and analysis paper for submission in various senior governance forum within Risk and Digital departments.
- Experience of implementing information security (including cyber) policy and systems, including supporting procedures and technical standards.
- Experienced and understanding of information security (including cyber) standards and implementation, including for example:
- International security control standards (e.g., ISO, ISF, NIST)
- Security architecture, infrastructure and technologies, e.g., network security, web services, operating and systems, etc.
- Implementation (and management of) information security (including cyber) controls
- information security (including cyber) audits and reviews
- Technical and procedural risk analysis,
- information security (including cyber) policy development
- information security (including cyber) compliance monitoring
- Ability to manage information security (including cyber) projects related to all business units
- Strong analytical skills, Good written and communication skills
- Pro-active, with the ability and confidence to drive forward discussions, co-ordinate activities, make judgements and take decisions
- Ability to work under pressure and cope with competing demands
- Ability to deal with people at all levels and build strong working relationships
- Ability to deal appropriately with information which may be highly sensitive
- Appropriate Graduate and / or Professional Qualifications, eg CISM, CISA, CISSP (or equivalent industry experience)
- Technically competent to be able to translate information security topics, initiatives / program into something that is digestible for stakeholders outside of information security community.
- Display subject matter experience in diverse information security areas (e.g. application security, Cloud security, Vulnerability Management, agile lifecycle management, DevSecOps, etc)
- Strong business acumen within the insurance / financial services industry and related operational fields.
- More than 10 years + experience in the information security, privacy and technology risk field, preferably in the financial services industry.