Chief Information Security Officer - BFSI/IT

JOB DESCRIPTION

Position title : Chief Information Security Officer

Department : Information Technology

Direct Reportee : One (Senior Manager)

Key responsibilities :

- A Leadership Role to Define and Implementation of Cyber Security including Information Security Policy at group level (Including all business unit's Regulatory and compliance requirements) and monitoring the same. Including MAS (Monetary Authority of Singapore) Technology Risk Guidelines

- Define and Implementation of Data Privacy Protection Policy at group level (Including all business unit's Regulatory and compliance requirements) and monitoring the same. Including GDPR and IDPR Privacy Guidelines

- Supports CTO and Group CTO in implementing the group wide Information Security strategy and roadmap.

- Ensures alignment of all IT Activities with IT Security Strategy.

- Set up monitoring and controlling of Information Security directives on a corporate level

- Set up SOC for all Cyber Security, Information Security and Data Privacy Incidents Management

- Ensures an effective communication between the business responsible / key users and the IT Department

- Liaises with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure Company Group maintains a strong security posture and promptly responds to security incidents.

- Conducting a continuous assessment of current IT security practices and systems and identifying areas for improvement

- Running security audits and risk assessments

- Delivering new security technology approaches and implementing next generation solutions

- Ensuring compliance and governance is met

- Protecting the intellectual property of the organization at all times

- Devising strategies and implementing IT solutions to minimize the risk of cyber-attacks

- Reviewing, analyzing and delivering data information

- Managing the IT security budget and communicating this with the appropriate parties

- Responsible for protecting organization's computers, networks, data and Privacy against threats, such as security breaches, computer viruses or attacks by cyber-criminals

- Responsible for defining all required standards, requirements, policies, procedures, device configuration documents i.e. hardening documents or MBSS, forms, guidelines, awareness, training wrt

Information Security

- To become a model of good practice for the applicable legislation which it regulates and is committed to continuous improvement in this area.

- Conducting internal and certification related Information Security and Data Privacy audit for the projects and support business groups. Including VAPT tests to internal as well as public network applications and systems

- Facilitate technology, information and privacy risk assessment to all business units and maintain risk inventory repositories for the respective Business Units.

- Fulfilling the assessment and providing guidance from Segregation of Duties perspective

- Provide inputs for IT policies and facilitate enhancement for process improvements.

- To promote security awareness by developing and implementing a security awareness and training program

- To investigate suspected and actual security incidents in accordance with the security incident management standard, produce reports with recommendations and ensure any remedial action is taken. Also, responsible for submission and action for CAPA (Corrective Action and Preventive Action)

- Produce reports for the Information Security Steering Committee (ISSC), Information Asset Owners/Custodians and the Risk and Compliance Officers as required

- Become active member of CAB (Change Advisory Board) to certify and approve change requests from Information Security assessment perspective

- Respond to enquiries from staff and provide security advice as required

- Participate in vendor discussions on topics related to Information security and regulations compliance.

- Facilitate implementation of security plan in conjunction with other support functions like IT management Team, Physical Security, Human Resource Security, Facility Administration.

- Representing Management Review meetings to present Information security initiatives.

- Security - ensure continued compliance with established security and confidentiality policies

- Provide general and specific information about security risks and controls to those who need to know so that they can recognize and respond to potential incidents.

- Motivate employees, contractors, and consultants to change their behaviors and incorporate security concerns into their decision making. Improve overall compliance with the organization's information security policies, procedures, standards, and checklists

- Business Continuity and Disaster Recovery - Revise periodically as required by business and ensure continued compliance with established Business Continuity policies and procedures.

- Report on Information Security project metrics on a regular basis; collaborate with IT functional leaders to address gaps

- Completely responsible and accountable for Cyber Security, Information Security and Data Privacy health for an Organisation

- Act as backup person to Infrastructure person vice-versa

- Role Specific - Strong overall Information Security skills

- Strong overall Data Privacy Protection skills

Competencies:

- Strong Knowledge of ISO/IEC 27001:2013 Standard

- Strong Knowledge of ISO/IEC 22301:2013 Standard

- Strong Knowledge of PCIDSS Standard

- Strong Knowledge of ISO/IEC 27017:2015 Standard

- Strong Knowledge of ISO/IEC 27018:2014 Standard

- Strong Knowledge of MAS Technology Risk Guidelines

- Strong Forensics Skills i.e. In addition to scientific knowledge, utilize a variety of skills to conduct thorough investigations, Legal Process, Must have a complete understanding of the role of forensic expert required by the law

- Ability to setup SOC and Operate in effective manner

- Strong Infrastructure including Networking and IT Security Skills

- Good working knowledge of information risk analysis/management

- Ability to respond to common inquiries or complaints from customers, regulatory agencies, or members of the business community.

- Ability to write articles that conform to prescribed style and format.

- Ability to effectively present information to top management, public groups, and/or boards of trustees. Strong people management and senior stakeholder management skills

- Ability to influence at senior levels on matters relating to security and information risk

- Sound understanding of business processes & organization

- Expert in Information Security processes and operational KPIs

- Experienced aligning IT strategies and compliance policies

- To lead and deliver change and contribute to culture change successfully

- Good Project management skills

- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity.

- Effective time management and organization skills

- Positive attitude towards learning and development demonstrated by a record of continuing professional development

- Ability to adapt any process changes in minimal time period

Formal Qualifications / Prior - B.E / Btech / MCA

Work Ex - CISM, CISSP, CISA, CCSP Certified

- ISO 27001 Certified Lead Implemented and Lead Auditor

- ECH Certified

- Forensics Certified

- Virtualization and Cloud Computing Strong Knowledge

- Data Centre and Public / Private Cloud Operations Knowledge

- SOC Setup and Operating Knowledge

- ITIL V3 Certified

- PMP Certification preferred

- Minimum 12-15 years experience and exposure to Information Security in a professional enterprise and minimum 8-10 years managing Information Security standards in financial services or banking industry with exposure to ISO 27001:2013, COBIT, PCIDSS standards.