Crisil - Associate Director - Information Security/Governance/Risk & Compliance

Associate Director Information Security Governance,Risk & Compliance

- Establishing and maintaining Information security program conforming to ISO/IEC 27001:2015 for uplifting the cyber resilience and incident response for CRISIL in compliance to Information Security and Cybersecurity Policy, Common Security Standards, Technical Security Standards, Industry best practices and CISO Directives.

- Responsible for assisting CISO in reporting to CRISIL Management and IT Risk Committee the critical cyber security threats and vulnerabilities that CRISIL is exposed to, ensuring emerging cyber threats and the bank's preparedness in response to these threats are reported and discussed in the CRISIL IT Risk Committee.

- Be the focal person for CRISIL during various audits, be able to communicate accurately and effectively CRISIL's security posture and regulatory compliance status. Be the point of contact and interact regularly with regulatory agencies and Computer Emergency Response Team (CERT-In).

- Support and manage ISO 27001 and SOC2Type2 external and internal audits.

- Responsible for driving the regulatory compliance for Cyber Security Framework and all current and future advisory notes received from the regulator.

- Being the information security and cyber policy owner, responsible for development of (but not limited to) CRISIL Information Security and Cyber Security Policy, Data Governance and Classification Policy, Access Control Policy, Acceptable use of assets and asset management policy.

- Keep abreast with country specific cyber threats through maintaining close work relationship with regulatory agencies CERT-In, attend RBI's cyber events & trainings

- Establish a Cyber Management Group with representations from CRISIL management and functional heads. Establish and maintain the Cyber Incident Response Plan (CIRT) which defines the roles and responsibilities amongst key functional stakeholders during a cyber incident.

- Planning and executing periodic cyber breach simulation exercises, make sure CRISIL Branch is well prepared for any cyber breach incidents with widespread impacts.

- Responsible for developing CRISIL cybersecurity KRIs and KPIs and presenting the KRIs and KPIs to CRISIL risk committee for independent challenge and management oversight.

- Work with the CISO & CIO to develop a holistic risk management framework for CRISIL.

- Partner with 2nd Line IT and Cyber Risk Management, Country Compliance and Global regulatory compliance activities. Provide subject matter expert advisory on cybersecurity, security technology, best practice and regulatory compliance requirements.

- Manage risk remediation activities for CRISIL, ensuring the remediation works are executed in accordance to the approved timeline and deliverables.

- Manage risks associated with third party suppliers, conduct third party due diligence and ongoing risk management activities in accordance to the bank's Third-Party Risk Management Framework.

- Conduct Information Security awareness training periodically to general staffs and functional leads across the CRISIL.

Education / Experience / Other Information:

- Bachelor degree in Engineering or Graduation in Computer Science degree or equivalent degree

- 12-15 years' experience in information security, cybersecurity, technology risk management in large multinational financial / technology institutions environment

- ISMS ISO 27001 LI/LA and other Security related certifications viz., CISA / CISM (or equivalent) is an advantage.

- Hand-on experience on Process definitions, process drafting, documentation, conducting and managing audits, knowledge of Data privacy laws of various countries

- Excellent verbal and written communication skills.

Roles and Responsibilities:

Accountabilities:

- Establishing and maintaining Information security program conforming to ISO/IEC 27001:2015 for uplifting the cyber resilience and incident response for CRISIL in compliance to Information Security and Cybersecurity Policy, Common Security Standards, Technical Security Standards, Industry best practices and CISO Directives.

- Responsible for assisting CISO in reporting to CRISIL Management and IT Risk Committee the critical cyber security threats and vulnerabilities that CRISIL is exposed to, ensuring emerging cyber threats and the bank's preparedness in response to these threats are reported and discussed in the CRISIL IT Risk Committee.

- Be the focal person for CRISIL during various audits, be able to communicate accurately and effectively CRISIL's security posture and regulatory compliance status. Be the point of contact and interact regularly with regulatory agencies and Computer Emergency Response Team (CERT-In).

- Support and manage ISO 27001 and SOC2Type2 external and internal audits.

- Responsible for driving the regulatory compliance for Cyber Security Framework and all current and future advisory notes received from the regulator.

- Being the information security and cyber policy owner, responsible for development of (but not limited to) CRISIL Information Security and Cyber Security Policy, Data Governance and Classification Policy, Access Control Policy, Acceptable use of assets and asset management policy.

- Keep abreast with country specific cyber threats through maintaining close work relationship with regulatory agencies CERT-In, attend RBI's cyber events & trainings

- Establish a Cyber Management Group with representations from CRISIL management and functional heads. Establish and maintain the Cyber Incident Response Plan (CIRT) which defines the roles and responsibilities amongst key functional stakeholders during a cyber incident.

Planning and executing periodic cyber breach simulation exercises, make sure CRISIL Branch is well prepared for any cyber breach incidents with widespread impacts.

- Responsible for developing CRISIL cybersecurity KRIs and KPIs and presenting the KRIs and KPIs to CRISIL risk committee for independent challenge and management oversight.

- Work with the CISO & CIO to develop a holistic risk management framework for CRISIL.

- Partner with 2nd Line IT and Cyber Risk Management, Country Compliance and Global regulatory compliance activities. Provide subject matter expert advisory on cybersecurity, security technology, best practice and regulatory compliance requirements.

- Manage risk remediation activities for CRISIL, ensuring the remediation works are executed in accordance to the approved timeline and deliverables.

- Manage risks associated with third party suppliers, conduct third party due diligence and ongoing risk management activities in accordance to the bank's Third-Party Risk Management Framework.

- Conduct Information Security awareness training periodically to general staffs and functional leads across the CRISIL.

Educational Qualification - Bachelor degree in Engineering or Graduation in Computer Science degree or any other graduation / post graduation

Educational Qualification - Bachelor degree in Engineering or Graduation in Computer Science degree or any other graduation / post graduation