Job description / Role
1. Develops, manages, and communicates the Corporate Information Security Framework that includes policies, standards and processes based on international standards (eg.ISO27001) as well as legal and regulatory requirements (e.g. PCI DSS, GDPR) ensuring its policies and procedures are adopted and adhered to.
2. Develops an overall information security and compliance strategy, and recommends appropriate controls and tools ensuring all are in line with company’s objectives, set measures and information control requirements.
3. Monitors environmental and market trends and pro-actively assesses impact to business strategies and advises necessary security controls in collaboration with experts in other functions e.g. legal, technical support, architecture.
4. Defines and implements a risk management framework for company to ensure that IT security and risks are managed to acceptable levels and in compliance with relevant regulations.
5. Co-ordinates periodic vulnerability assessments and penetration tests on IT environment to monitor performance, identify risks and threats, and manage solutions as required for the effective protection of information assets and/or regulatory compliance.
6. Ensures there is sufficient visibility at the appropriate management level for every risk – its impact, and cost of mitigation.
7. Conducts investigations on permission violations and defines org-level policies on the access rights.
8. Co-ordinates effective implementation of data protection program aligned to applicable regulatory regimes (e.g. GDPR). This includes records of processing, associated policies and procedures, and reporting and engaging with supervisory authorities whenever needed.
9. Directs and guides internal teams and/ or external providers to ensure that all information assets are well protected. Reviews, actions any exception to policies and standards based on impact and takes ownership for all Information security initiatives.
10. Keeps abreast with market trends and latest products related to information security and maintains a broad understanding of the environment, to source services from the external market.
11. Develops, manages, maintains, and regularly tests security incident-response-plan that ensures all incidents are reported, documented, resolved and recovered.
12. Handles any additional duties as directed by the Head of Department/CEO.