Description

Job Description

  • Develop information security plans aligned with business goals and objectives.
  • Identify current and potential legal and regulatory requirements affecting information security.
  • Identify drivers affecting the company (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.
  • Obtain senior management commitment to information security.
  • Define roles and responsibilities for information security throughout the company.
  • Establish internal and external reporting and communication channels that support information security.
  • Establish a process for information asset classification and ownership.
  • Implement a systemic and structured information risk assessment process.
  • Ensure that business impact assessments are conducted periodically.
  • Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
  • Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
  • Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., procurement).
  • Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and an event-driven basis.
  • Develop and maintain plans to implement the information security strategy.
  • Ensure alignment between the information security program and other assurance functions (e.g., physical, human resources, quality, IT).
  • Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the security program.
  • Ensure the development of information security architectures (e.g., people, processes, technology).
  • Establish, communicate, and maintain information security policies that support the security strategy.
  • Design and develop a program for information security awareness, training, and education.
  • Ensure the development, communication and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
  • Integrate information security requirements into the company processes (e.g., change control, mergers, and acquisitions) and life cycle activities (e.g., development, employment, procurement).
  • Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
  • Establish metrics to evaluate the effectiveness of the information security program.
  • Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
  • Ensure that processes and procedures are performed in compliance with the companys information security policies and standards.
  • Ensure the performance of contractually agreed (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) information security controls.
  • Ensure that information security is an integral part of the systems development processes and acquisition processes.
  • Ensure that information security is maintained throughout the company's processes and life cycle activities.
  • Provide information security advice and guidance (e.g., risk analysis, control selection) in the company.
  • Provide information security awareness, training, and education (e.g., business process owners, users, information technology) to stakeholders.
  • Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
  • Ensure that noncompliance issues and other variances are resolved in a timely manner.
  • Develop and implement processes for preventing, detecting, identifying, analyzing, and responding to information security incidents.
  • SPU REFERENCE: RFQ: SPU-CIO-MS-2024-01
  • Develop plans to respond to and document information security incidents.
  • Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).
  • Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
  • Integrate information security incident response plans with the company disaster recovery and business continuity plan.
  • Organize, train, and equip teams to respond to information security incidents.
  • Periodically test and refine information security incident response plans.
  • Manage the response to information security incidents.
  • Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk.

 

Minimum Qualification

  • Relevant Degree/Diploma in ICT. CISA certification advantageous
  • Willingness to work outside normal hours.
  • 5 to 7 years of related experience.

 

Minimum Experience

  • Proficiency with enterprise information systems, file servers, networked data storage, application software, scripting and programming languages, data communication devices, and disaster recovery utilities
  • Knowledge of current systems and network technologies and standards and their practical application in the enterprise environment
  • Good understanding of IT Governance frameworks and legislation


 

Education

Any Graduate