The Head of Information Security has overall responsibility for the Information Security and Internal Audit function. Has to oversee the Information Security and Internal Audit posture of the organization. The position ensures the Board of Directors, management and employees are in compliance with the rules and regulations of regulatory agencies, that company policies and procedures are being followed, and that behavior in the organization meets the company's Standards of Conduct.
The Information Security and Internal Audit Officer acts as staff to the CEO and Board of Directors, Information Security Committee by monitoring and reporting results of the security/ethics efforts of the company and in providing guidance for the Board and senior management team on matters relating to security risk. Works to ensure roles, responsibilities, and results are efficiently coordinated and collectively optimizing the effectiveness of risk management, control, and governance of the company.
• Develops, initiates, maintain, and revises policies and procedures for the general operation of the Security Program and its related activities to prevent illegal, unethical, or improper conduct. Manages day-to-day operation of the Program.
• Develops and periodically reviews and updates Security Standards of Conduct to ensure continuing currency and relevance in providing guidance to management and employees.
• Collaborates with other departments (e.g., Risk Management, Internal Audit, Employee Services, etc.) to direct security issues to appropriate existing channels for investigation and resolution. Consults with the corporate attorney as needed to resolve difficult legal security issues.
• Responds to alleged violations of rules, regulations, policies, procedures, and Standards of Conduct by evaluating or recommending the initiation of investigative procedures. Develops and oversees a system for uniform handling of such violations. Develops and maintains as ongoing Incident Management Program.
• Develops or implements open-source/third-party tools to assist in detection, prevention, and analysis of security threats. Implements proactive protection
• Acts as an independent review and evaluation body to ensure that security Issues/concerns within the organization are being appropriately evaluated, investigated and resolved.
• Monitors, and as necessary, coordinates security activities of other departments to remain abreast of the status of all compliance activities and to identify trends.
• Identifies potential areas of security vulnerability and risk; develops/implements corrective action plans for resolution of problematic issues and provides general guidance on how to avoid or deal with similar situations in the future. Ensures through review of existing security controls at Operations, IT, Sales and Finance Department.
• Provides reports on a regular basis, and as directed or requested, to keep the Information Security Committee of the Board and senior management informed of the operation and progress of compliance efforts.
• Proactively plans and monitors the infrastructure for threats and cyber security breaches. Ensures legal coverage with third parties that are connected to the infrastructure to provide or avail services.
• Maintain critical infrastructure and determine mitigation strategies in line with the business by determining the vulnerabilities and associated risks. Should be able to maintain the configurations of infrastructure using repositories like Chef
• Ensures proper reporting of violations or potential violations to duly authorized enforcement agencies as appropriate and/or required.
• Establishes and provides direction and management of the security Hotline.
• Skills for forensic investigation is a nice to have or develops a program to carry out forensic analysis post a breach has been identified.
• The Code analysis is a nice to have or can develop a program of secure coding and implementation of systems using standards or tools.
• Is highly involved in the change request program and activity addresses the PMO and Operations teams with the daily needs. Security of data at rest and motion should always be addressed as early as project initiation.
• Security posture at cloud providers like Amazon is a must-have skill along with knowledge PCI DSS
• Institutes and maintains an effective security communication program for the organization, including promoting (a) use of the security Hotline; (b) heightened awareness of Standards of Conduct, and (c) understanding of new and existing compliance issues and related policies and procedures.
• Works with the Human Resources Department and others as appropriate to develop an effective Information Security training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers.
• Monitors the performance of the Information Security Program and relates activities on a continuing basis, taking appropriate steps to improve its effectiveness.
• Lead and execute Internal Audits change initiative by implementing action plans related to risk assessment and annual planning, audit execution, audit reporting, staff recruiting and development, audit technology, and Audit Committee reporting.
• Lead and execute Internal Audits annual risk assessment and enterprise risk assessment and planning process to develop the audit plan and ensure the plan is responsive to and aligned with the risk profile of the organization.
• Design and implement a framework for Internal Audit, Risk Management and Compliance for the Company.
• Design and perform the annual audit plan and risk management for the business.
• Evaluate the efficiency of the risk management that is currently in place and work with senior operational stakeholders in designing and implementing best practice.
• Identify the best business process and recommend new and innovative ways to create efficiency and best practice across the group to identify cost savings and revenue maximization.
• Act as an independent and objective advisor to ensure validity, legality and strategic goals.
• Oversee the execution of individual audits defined in the audit plan ensuring the highest level of service quality and client satisfaction.