|Job Ref:||204683817||Employer:||cv-library.co.uk||Job Type:||Permanent||Country:||United Kingdom||City:||Birmingham||Address:||Post Code:||B12||Post Date:||15/10/2016 03:54|
Group Information Security Manager|
Responsibility for Information Security across SCC to enable compliance with the appropriate legislation, standards, certificates and/or other requirements needed in support of the SCC business. To act as the SME for all Information Security Activities in support of the wider direction of the company.
Provide strategic direction for the delivery of information security, have responsibility for the development and implementation of the group-wide information security programme.
Manage the group-wide information security, data protection and awareness initiatives and proactively promote & identify security improvements which enhance internal and external customer service & drive continuous growth.
Maintain an overarching accountability and responsibility for all aspects of security, including technical, operational, procedural, and compliance. Be fully conversant with security classifications and complement this with strong knowledge of key information security frameworks such as ISO/IEC 27001, CyberEssentials and HMG's Security Policy Framework.
Oversee and/or assist in performing on-going security monitoring and continuous improvement of information systems including risk assessment, gap analyses, new security capabilities assessments and recommendations.
The role will also have responsibility for leading the information security team, working closely with external security vendors and internal stakeholders within the individual businesses to maintain company standards.
Additional responsibility for driving information security projects and working closely with colleagues in Data Centre Services and IT to control risks and manage security incidents and events, working with external accreditation bodies where appropriate. The job holder should be a strategic information security leader with extensive experience in a high performing environment. They should also possess strong risk management experience and the ability to develop information security policies and procedures.
Information Security Management System and 27001
Responsible for Information Security Management Systems (to be compliant with ISO 27001), including the maintenance and update of security polices and improvement notes. Lead the governance of information security including the Chairing the Information Security Forum, Managing the local security co-ordinators, developing appropriate reporting and analysis and providing appropriate training, education and awareness across SCC.
General Information Security Activities
Lead or support the following Information Security Activities within SCC:
• Joint Crypto Custodian
• List X - Deputy Controller
• Management and where appropriate investigation of Security Incidents
• Response to Assurance & Governance Questionnaires including IGSOC, HMRC and PCI SAQ Questionnaire (Focus Lifecycle & Barclaycard for the SCC).
• Supporting the need for new accreditations requests including Cyber Essentials and Cyber Essentials Plus.
• Data Protection Officer for SCC (working with ICO, investigating data breaches, responding to SAR (Subject Access Requests)).
As the information Security SME attendance of the IT Governance meeting and IT CAB and provide security advice and guidance in support of the following applications / areas:
• ERP (e.g. AX)
• Ecommerce Apps (e.g. LifeCycle)
• Internal SCC Apps (e.g. MySCC, Open Uptime)
• External Cloud Apps (e.g. Gatekeeper, Office 365)
• CRM (e.g. ServiceNow)
Support of Bids / Sales
Enable the effective support of "Bids" and "Sales" by ensuring the maintenance and improvement of a comprehensive library of reference documentation for Information Security responses. Provide support, advice and guidance for the Sales function on Information Security beyond the scope of the reference documentation.
Security Supplier Relationship Management
Managing and maintaining all supplier relationships that provide group information security services. This includes planning review meetings, monthly catch-up calls, workshops and managing all interactions in order to maximise the value of the external security services we receive. This includes information assurance, security penetration testing, vulnerability scanning and compliance suppliers.
Customer Specific - Security Lead
The perform the role of the "Security Lead" for agreed customers including being responsible for ownership, maintenance and governance of :
• Security Management Plan
• Security Incidents
• Improvement Notes
• Risk Register
• Attendance of Customer Security meetings as required.
Platform Specific - Sentinel / Sentinel Platform Compliance
Responsible for Sentinel Platform Compliance including:
• Chairing the SWG (Sentinel Working Group)
• PSN interface
• IA Meeting
Performing the SIRO and SIRA role for the Sentinel Platform.
Sentinel ISO Peer Review Manager / review of Sentinel changes (CRs).
Sentinel ITHCs and PSN Compliance program (manage with AH).
• Maintenance of all certifications (Cyber Essentials Plus and PSN)
• Ensures that the system meets its objectives as agreed with the SIRO and IAO
• Contributes to the overall accreditation/ certification process for the platform (from a submissions perspective)
• Checks compliance with applicable regulations, standards, policies and guidance on information risk management
• Supports the development of the platform Risk Management Accreditation Document (RMADs)
Skills & Experience
• Hold as a minimum at least 5 years senior information security management experience.
• Holds at least two or more of the following valid qualifications: CISMP, CISM, CEH, CRISC, CISSP or ISO27001 Auditor
• Has ISO 27001 and CyberEssentials experience
• Good knowledge of British & International security standards
• Working knowledge of PSN guidelines, SPF, GPG 13 and Data Protection Act
• Demonstrable experience of managing IT Health checks, penetration test engagements and vulnerability scanning programs
• Ability to develop conceptual models for the delivery of security improvements
• Demonstrate effective management skills
• PCI-DSS compliance knowledge
• Capable of obtaining & maintaining a UK national vetting at SC level.
• Good IT technical security background
• Demonstrate a high level of integrity, accountability and ownership