Senior Analyst - Security & Compliance - IT

The Security & Compliance (S&C) Competency Centre (CC) Senior Analyst is responsible for the following:

Project Review and Technical Advice

- Review all new high risk projects; new technical designs; for Information risks and advise on suitable controls and mitigations at early stages of the program.

- Lead the S&C Analyst for specific technology and advice on the Information security for their projects.

- Offer advice to Shell and suppliers to assist in resolving questions and issues around how to manage risk

- Provide Subject Matter Expertise for projects and business stakeholders, in combination with the Improvement Program.

- Work with the architecture community to review new technology and architecture innovations.

The Security & Compliance (S&C) Competency Centre (CC) Senior Analyst is responsible for supporting the following:

Risk Management and Mitigation

- Assess and classify all potential business and infrastructure information risks.

- Execute, with suppliers, risk analyses on IT application/services.

- Develop and socialize our overall risk profile and action plans to mitigate risks

- Review and recommend approval project charters.

- Facilitate smooth conduct of Risk Assessment (including Legal & Regulatory) on Applications, Network& Systems

- Perform end to end Security Assessment on vendor offerings - New/Leveraging existing (SAAS / PAAS/IAAS) services including integration with Shell environment.

- Translate Technical, legal and Regulatory Compliance obligations into a cohesive collection of Security Controls and provides the respective stakeholders with the IRM requirements and its implementation methodologies.

- Support in development of tooling to support IRM processes and ensuring this is fit for purpose.

- Actively participate in S&C team and community meetings, representing S&C and Business interests in other CC forums.

- Support during Internal /External Audit

- Ensure that S&C continues to focus on risks significant to the Business, with emphasis on innovation.

Controls Management and Optimization

- Ensure controls are both risk-driven and based on industry standards

- Review and approve the control design of supplier and Shell technical specifications against Shells control requirements, as agreed contractually, during PDF project.

- Support the development of new IRM policies, tooling, procedures where required.

- An Individual Contributor, part of global IT engineering team

- Face of S&C; Interfaces with Project Delivery staff/Business / Business IT teams

- Responsible for the management of risk involving the security, IT regulations, Shell IT policies and other IT controls for all services delivered by the Key business and Infrastructure Suppliers and all services.

- Relevant (>6 years) experience with Information security and risk management

- Good understanding of, and experience with Information Risk Management, IT Security and Compliance and Security Controls and Audit

- Advanced understanding of internal and external IT security standards, SOX, PCI, SOC2/1, ISO27001 standards and relevant legal compliance aspects.

- Robust understanding of, and solid experiences with the impact of Security on application development and operations as well as the IT Infrastructure.

- Ability to promote high performance teams, working with inclusiveness and cultural diversity, across organizational boundaries.

- Good understanding of cloud security requirements and third-party control assurance.

- Ability to interface with different groups (Third parties, Business and IT) internal and external to IT (security) and to network globally across Group businesses, as well as with external groups.

Technical knowledge & relevant experience in security domains /technologies related to:

- Infrastructure/Network security

- Identity and Access Management

- Business Impact Assessment

- Application security

- Data Leakage Prevention

- End-Point Protection

- Web filtering technologies, Proxies and firewalls.

- Vulnerability Assessment / Penetration Testing

- Cloud security

- Knowledge of Data Security Standards: PCI DSS, Privacy Principles

- Driving Platform / Application security and compliance

- Ability to foresee and identify mitigation strategies for RisksCandidate must also:

- Display excellent communicating and influencing skills

- Display analytical and problem solving skills

- Be pro-active and self-motivated

Display strong interpersonal and negotiating skills with all levels of staff.

- Display Ability and eagerness to quickly learn new technologies.

Qualifications :

- A qualification in CISSP, CISA, CRISC or CISM

Experience :

- Must have previous experience in an (Information) Risk management and Control design role