Information Security Officer

Information Security

Information Security Responsibilities

• Primary responsible for planning coordinating and organizing Information Security activities.

• Enforce and monitor the implementation and compliance with IT Information Security Policy.

• Develop and manage the implementation of Information Security Policies and Procedures.

• Ensure Risk Assessments are conducted on all information systems such as people process technology and information processing facilities.

• Ensure implementation of all Information Security controls as set forth in the Risk Treatment Plan to ensure adequate security for the respective system.

• Conduct Information Security communications and outreach by leveraging the Information Security Management System (ISMS) committee.

• Establish appropriate measures to assess operational capabilities and determine compliance and effectiveness levels with Information Security Policy.

• Supervise other related assurance functions as necessary.

• Ensure the compliance of Information Security Policies in the organization.

• Develop and ensure implementation of Information Security procedures.

• Develop and ensure implementation of incident handling and reporting.

• Follow-up escalate and report the resolution of Information Security issues identified during security assessments penetration tests and audits.

• Develop implement and maintain Disaster Recovery (DR) procedures and infrastructure in relation to the Business Continuity Plan (BCP)/IT Service Contingency Plan.

• Conduct and coordinate Information Security awareness and orientation programs.

• Responsible for conducting Committee meetings.

Security Incident Management

• Incident Management:
  Establish a formal procedure for internally reporting and tracking security incidents. Ensure incident response and escalation procedures are followed and inform all employees contractors and third-party users of their responsibility to report security incidents.

• Incident Handling:
  Participate and/or oversee the investigation and management of information security events and policy violations and track them to conclusion.

• Incident Notification and Reporting:
  Follow policy for the notification and reporting of incidents immediately upon discovery.

• Corrective/Preventive Actions:
  Develop and document corrective action plans and implement preventive actions to mitigate recurrence.

Problem Management

• Analyze a security incident to detect an underlying problem that exists or is likely to exist.

• Categorize and prioritize the problem based on the frequency severity and impact of the incident.

• Investigate and diagnose the root cause of the problem.

• Test and apply temporary workarounds.

• Document the known error record.

Risk Management

• Risk Management Program:
  Create a formal process to address risk through the coordination and control of activities regarding each risk.

• Risk Assessment:
  Conduct formal vulnerability assessments of the environment on a regular basis.

• Risk Mitigation:
  Create a formal process to mitigate vulnerabilities and more.

Qualifications

Experience

• 8 years in IT work experience

• 5 years in a similar role

Education

• Bachelor of Engineering

• Or Bachelor of IT

• Or Bachelor of Computer Science

Certifications

• CRISC – Certified in Risk and Information Systems Control

• Or ISO/IEC 27001 Lead Implementer or Lead Auditor

• Or CISSP – Certified Information Systems Security Professional

Required Skillset

• Expertise in implementation of security frameworks such as NIST ISO/IEC 27001 and other local regulations and frameworks.

• Expertise in compliance requirements like GDPR HIPAA PCI DSS SOX and other relevant laws and regulations.

• Expertise in conducting risk assessments identifying security risks evaluating impact and implementing mitigation strategies.

• Expertise in developing policies procedures and processes.

• Expertise in creating and managing security awareness and training programs to educate employees on cybersecurity threats and best practices.