Responsible for the development and consistent delivery of Information Security policy and practices across the Group ensuring effective and timely provision of all related services in line with relevant legislative, contractual and regulatory requirements. Influence business decisions through the provision of specialist advice to the CIO and Executive Team on all relevant security policy, regulations and working practice. Where appropriate represent the Company externally and be recognised as specialist in this field.
Key Responsibility Areas:
Development and implementation of Information Security Policy
• Develop policy and ensure management engagement and support
• Ensure its consistent and effective implementation across the group including the creation of supporting policies and operational procedures
• Detect Security Risks and Incidents and ensure visibility of security risks and remediation progress to the CIO
• Respond to Security Incidents and ensure all stakeholders understand and perform their duties when an incident occurs
• To assist in the investigation of suspected and actual breaches of security and recommend remedial action as required. To maintain a log of such security incidents and remedial recommendations and actions.
• Conduct regular Security Forum meetings with interested parties to identify, review, and assess ongoing business risks and take ownership for the Group risk register and security actions on the Continuous Sustainable Improvement Plan (CSIP).
Management of Information Security Management System
• To assimilate and understand all legislative, contractual and regulatory requirements and KPIs, with an emphasis on the development, implementation, review and improvement of the organisation’s Information Security Management System (ISMS).
• Ensure full compliance with the ISMS through the effective management of incident management and risk assessment programmes and security audits
• To conduct ISO 27001 audits throughout the business on a regular basis
• To review and propose amendments to the ISMS, in light of the new version ISO 27001: 2013
• To assist in the facilitation of external audits, reviews and penetration tests
• Facilitation and planning of Business Continuity Plan exercising and reporting.
Ensuring Security Awareness and provision of specialist advice
• Support training and education programmes for Managers across the business to ensure awareness of security issues and the understanding of roles and responsibilities
• To provide specialist advice to the organisation, ensuring compliance with relevant statutory, contractual and regulatory requirements and conformance to the ISO 27001/CAS-T standards and, generally on information risk analysis/management.
• To assist in the development and communication to the organisation of suitable and relevant information security policies and procedures,
• To act as a consultant on new projects, advising on matters relating to security, including information technology security.
Commercial Support
• Provide support to the CIO in bid management process, providing specialist input into proposals and responding to security and compliance related matters.
• Where appropriate support sales in customer meetings
Education & Qualifications
• IRCA certified ISMS Auditor/Lead Auditor
• Certified Information Security Manager (CISM) qualification or similar
• Proficiency with all methodologies relating to Risk Management. Experience of COBRA, CRAMM, SOMAP is required
• Awareness of PCI, SoX and technical aspects (Penetration Testing, Vulnerability Assessments) would be advantageous
• Knowledge of current HMG security standards and direct experience in security risk evaluation and security accreditation in the public sector. Experience of working with HMG accreditors and other suppliers is key as is direct experience of CESG policies and assessments
Skills & Experience:
• Extensive experience as a security officer, ideally within the Technology sector
• Demonstrable experience running security education programmes across all levels within the organisation
• Detailed knowledge of the ISO 27001 Standard
• Detailed knowledge of CAS-T
• Strong IT skills