Position : Information Security and Business Continuity Planning

Department : Information Technology

Reporting to : Vice President - Information Security

Function : ERM

JOB SUMMARY

- Ensure that the requirements of ISO 27001(ISMS) and ISO 22301 (Business Continuity Management System) are implemented and adhered to.

- Ensure effective risk management in core areas of Privacy Protection, Cyber Security, Audit and Compliance, Security Awareness and Business Continuity

- Project manage the implementation of tools, processes and solutions that improve the posture of Information Security and Business Continuity across the organization.

- Ensure proper Incident Response process is in place and Cyber Crisis Plan is implemented effectively in the organization

- Ensure that various Information Security initiatives are implemented in the organization through awareness initiatives, regular tracking and effective governance.

KEY RESPONSIBILITIES : 

- Conducting Risk Assessments to identify, analyze and evaluate the Digital Risks faced by the Organization

- Evaluates and provides reasonable assurance by assessing that risk management, control, and governance systems are functioning as intended and will enable the organization's objectives and goals to be met.

- Reports risk management issues and internal controls deficiencies identified to the application owners

- Coordinate with business units in identifying business critical activities

- Supervise and conduct Business Impact Analysis as per the requirements of ISO 22301 (Business Continuity Management System) and respective regulations

- Developing and executing Disaster Recovery Plans for various applications, Review/update existing plans and procedures at regular intervals

- Coordinate with the required stakeholders from various business units to ensure testing of BCP plan and publish BCP test report. Review and test the BCP plans of critical business partners

- Provide emergency response to BCP incident as per defined procedure

- Test and utilize Emergency communication tool effectively in BCP tests and scenario.

- Supervise and conduct Risk Assessment as per the requirements of ISO 27001(ISMS) and 22301 (Business Continuity Management System)

- Act as a First line of audit for internal reviews and take lead for external audits for ISMS and BCMS

- Facilitate external auditors to perform various internal and external Audits (IRDAI, Statutory and Internal)

- Follow up with the relevant stakeholders for closure of finding arising during audit

- Contribute in initiatives for enhancing awareness on Information Security and Business Continuity.

- Integrate Security Incident Management and BCP to ensure that BCP is invoked timely in case of Crisis.

- Review, monitor, implement and test Cyber Crisis Management plan

- Prepare and maintain Security Incident and BCMs dashboards.

- Develop risk mitigation plans to cover, third party, cloud, IT product implementation, network security, engineering and architecture tools and technology implementation risk etc;

- Create understanding and adequately address any potential digital risks;

- Provide guidance on maximum recovery times for outages on core systems and monitor & report any such events;

- Assess vulnerability and penetration testing for all applications and network devices;

- Design & rollout framework for incident management and firm-wide data security;

- Review information security and data protection policies and act as a single point of contact for any queries regarding these policies;

- Establish clear risk management measures to cover risks associated with cyber-attacks which cover not only the IT function but also all relevant business lines;

- Evolve an ability to detect and respond to cyber-attacks, cyber-crimes etc;

- Develop categories and definitions that provide guidelines used to determine the appropriate level of protection for information required for Max Life Insurance

- Develop and maintain internal policies, standards, processes, procedures, and practices that prevent and detect fraud, misuse, and abuse of information.

- Work with the IT team to review procedures for applying the appropriate rules and rights for each user or group to access data and information;

- Review privilege and passwords rules and processes and user registration and deregistration procedures for granting and revoking access to information systems and services;

- Review procedures to prevent unauthorized access to restricted systems, applications, and information;

- Ensure the identification and separation of systems, applications, and information based on criticality and sensitivity;

- Ensure that risk management is properly integrated with the system and software development lifecycle, and that risk management policies are appropriately addressed during the requirements analysis phase and that systems are developed or selected in accordance with applicable risk management standards;

- Review contracts made with vendors and suppliers in support of information systems to ensure that risk management requirements are defined and are addressed;

- Design and implement information systems controls in alignment with the organization's risk appetite and tolerance levels to support business objectives;

- Review process design documentation to gain an understanding of the business process objectives;

- Evaluate the current state of information systems processes using a maturity model to identify the gaps between current and targeted process maturity and determine the approach to correct information systems control deficiencies and maturity gaps to ensure that deficiencies are appropriately considered and remediated;

- Analyze and document business process objectives and design to identify required information systems controls;

- Design information systems controls in consultation with process owners to ensure alignment with business needs and objectives;

- Facilitate the identification of resources (e.g. people, infrastructure, information, architecture) required to implement and operate information systems controls at an optimal level;

- Monitor the information systems control design and implementation process to ensure that it is implemented effectively and within time, budget and scope;

- Provide progress reports on the implementation of information systems controls to inform stakeholders and to ensure that deviations are promptly addressed;

- Facilitate the identification of metrics and key performance indicators (KPIs) to enable the measurement of information systems control performance in meeting business objectives;

- Assess and recommend tools to automate information systems control processes;

- Plan, supervise and conduct testing to confirm continuous efficiency and effectiveness of information systems controls;

- Risk monitoring and reporting

- Monitor and review and the enterprise-wide identification, escalation and mitigation of IT risks arising from inadequate or failed internal processes, people, systems, or external events.

- Monitor organization's risk posture and risk management performance over time from the view of security, continuity and privacy risks;

- Develop content for Information Security and Business Continuity training and quizzes.

- Spread Information security awareness initiatives in the organization

- Be part of all information Security initiatives in the organization

SKILLS:

1. Analytical skills and process orientation

2. Strong Presentation and communication skills

Measures of Success:

1. ISO 27001 and ISO 22301 certification is sustained.

2. BCP tests (All branches, critical business partners) are conducted on schedule as per defined criteria.

3. Successful conduct of Information Security Audits.

4. InfoSec Awareness initiatives are driven across the organization to create awareness and reduce security incidents

Desired qualification and experience

- Professionally qualified (BCA/ MBA / MCA / BE / B.Tech.)

- Provide 5 to 8 years of experience working on Information Security and minimum 2 to 3 years in implementing and monitoring Business Continuity and Disaster Recovery Services

- Knowledge of multiple IT Service Infrastructure platforms in order to provide a strong base for DR coordination with the supplier technical Services.

- High level of customer Support on DR services and requirements

- Strong level of basic understanding of all information security domains

- Ability to connect security risk management aspects with technical controls.

- ISO 27001 and 22301 Lead Implementer/ Lead Auditor

- Excellent communication and collaboration skills with all levels of management and technical staff

- Extensive familiarity with all aspects of project management, including project planning, scheduling, budgeting and operations.

This job opening was posted long time back. It may not be active. Nor was it removed by the recruiter. Please use your discretion.