Purpose
Information Security Governance refers to our companies coordinated strategy for managing the broad issues of corporate governance, enterprise risk management and corporate compliance with regards to regulatory, internal and external requirements.
Together with your team you are responsible to govern the effectively and cost-efficiently mitigation or remediation of risks that can hinder our organization’s operations or our ability to remain competitive in the market. You also ensure our company’s conformance with regulatory and internal requirements for IT operations, - and other IT/business practices.
Key Accountabilities
Security Compliance Program Management
* Proactively identify security gaps and support business/IT stakeholders on their demands
* Contribute to the creation of a business case that outlines a recovery compliance strategy including implementation plan, resources needed, budget and life cycle management.
* Develop a project charter and manage to successfully deliver the assigned projects, end-to-end, ideally through applying RAP methodology effectively. Manage the execution and completion of the defined project plan through effectively coordinating people and resources.
* Monitor the project variables (cost, effort, scope, etc.) against the project plan to implement corrective or preventative actions.
* Ensure regular status reporting is presented to project stakeholders and his manager. Be responsible and highlight any project obstacles with offering solutions for corrective actions. Follow up and drive issue resolution with project stakeholders.
Services and Governance
1. IT Policy & Standard Management
* Responsible to create IT individual policy- and standard rules within IT Compliance programs, ensuring that legal, contractual, internal, rules and regulations are met. Perform quality assurance with IT stakeholder and develop the review and approval material for senior management.
* Create awareness information and training material and provide regular update sessions with Markets and HQ. Ensure existing documents are up to date and centrally available.
2. IT Governance Framework
* Establish a framework for the respective service (e.g. PCI, ITSCM etc.), that outlines the scope, process, roles & responsibilities, lifecycle management, training material and a communication strategy.
* Create specific process documents including all necessary end-2-end workflows and ensure successful process implementation and lifecycle management across the organization.
3. IT Assessment Management
* Manage assigned assessments through identifying non-compliant area’s and topics for company critical assets IT systems, applications and processes.
* Enter the identified IT / SCM risks/topics to the global audit - and assessment database and/or Security specifics to ISMS.
* Consult, track and follow up with issue owners to ensure they become compliant and ensure risk mitigation/remediation.
4. Service Demand Management
* Manage the assigned task within the demand management process of Information Security Governance. This includes the alignment x-functionally within Information Security, stakeholders and requestors.
5. Contract support (Information Security)
* Create the third-party vendor contract annexes for Information Security for Global Procurement and IT Supplier Management.
External financial audit (IT)
* Support the Global IT SPOC for the yearly external financial audit. Coordinate the field work audit plan, organize field work kick off between IT Champs & external audit, challenge the audit field work results and align content with external audit.
Risk Acceptance
* Support the risk acceptance process activities. Evaluate the individual risk components, compensation controls and remediation activities.
If required: People Management
* Build the appropriate structure to be able to manage the respective organization effectively, identify and develop the future talents and create realistic succession scenarios for key positions
* Ensure appropriate leadership skills are present at every level by creating a motivational and supportive work environment in which employees are coached, trained and provided with career opportunities through development
* Allocate the different projects/programs and work streams to the respective teams and employees considering experience, project complexity, workload and organizational efficiency
Knowledge, Skills and Capabilities
* Pro-active mindset, ability to think end-to-end
* Ability to identify problems, collect data, establish facts and draw valid conclusions
* Ability to coach, guide and manage a (project/service) team
* Strong communication (both written and verbal) and facilitation skills (small and large groups), especially when interacting with different levels of business
* Ability to travel, domestic or international
* Fluent English (verbal and written)
* Strong experience with standards work in security, such as ISO 2700x, ISO27031/BS25999; PCI DSS, COBIT, COSO, OWASP; HIPPA etc.
* Industry recognized certification (CISA; PCI QSA / ISA; CGEIT; CRISC etc.)
* Ideally certified as CISSP, CISM, TISP
Qualifications
1. Four-year college or university degree with focus on Information Security or related areas, or equivalent combination of education and experience
2. Minimum of 6+ years of progressive work experience in the field of IT Compliance, Security and Governance
3. If required: 1-3 years of experience managing a team