Job Title: Manager – Information Security & Risk
Location: Sharjah – Head Office
Reporting Line/ Relationships; Head of Governance
Job Purpose: Establishes and monitors the execution of an information security and risk framework and an overall compliance strategy to protect the confidentiality, integrity and availability of the Company’s information assets and to minimize/manage risks arising from IT. Ensures that company processes the sensitive data of its staff, clients, providers or any other individuals in compliance with the applicable regulations (e.g. GDPR for data protection, PCI DSS for payment card processing).
Impact: Develops and implements frameworks and standards to secure Information Technology assets and protect the company from any risks arising from IT. Poor performance of this role might lead to increased risks, failure in IT services, and loss of data, leading to: increased threat to business, compromising the reputation of company, and regulatory non-compliance.
Decision Making Parameters:
- Empowered to make decisions on aspects related to Information Security and Risk Management, within the framework of responsibilities and boundaries identified with this role and in accordance with standard practices and guidelines set by the company.
- Consults with Head of Governance on all strategic and non- routine decisions. All duties shall be performed through proper channel and in compliance with adopted policies and procedures.
- Reports to the HOD/CEO for issues and decisions related to regulatory compliance.
Qualifications (Academic, training, languages, etc.):
- Bachelor degree in Computer Engineering/ Computer Science/ Information Technology or equivalent.
- Certification relevant to Information Technology/ IT Security/ Audit/ Governance e.g. CISA, CISM, CISSP, CGEIT.
- Fluent in English Language.
Key Result Responsibilities:
- Develops, manages, and communicates the Corporate Information Security Framework that includes policies, standards and processes based on international standards (eg.ISO27001) as well as legal and regulatory requirements (e.g. PCI DSS, GDPR) ensuring its policies and procedures are adopted and adhered to.
- Develops an overall information security and compliance strategy, and recommends appropriate controls and tools ensuring all are in line with company’s objectives, set measures and information control requirements.
- Monitors environmental and market trends and pro-actively assesses impact to business strategies and advises necessary security controls in collaboration with experts in other functions e.g. legal, technical support, architecture.
- Defines and implements a risk management framework for company to ensure that IT security and risks are managed to acceptable levels and in compliance with relevant regulations.
- Co-ordinates periodic vulnerability assessments and penetration tests on IT environment to monitor performance, identify risks and threats, and manage solutions as required for the effective protection of information assets and/or regulatory compliance.
- Ensures there is sufficient visibility at the appropriate management level for every risk – its impact, and cost of mitigation.
- Conducts investigations on permission violations and defines org-level policies on the access rights.
- Co-ordinates effective implementation of data protection program aligned to applicable regulatory regimes (e.g. GDPR). This includes records of processing, associated policies and procedures, and reporting and engaging with supervisory authorities whenever needed.
- Directs and guides internal teams and/ or external providers to ensure that all information assets are well protected. Reviews, actions any exception to policies and standards based on impact and takes ownership for all Information security initiatives.
- Keeps abreast with market trends and latest products related to information security and maintains a broad understanding of the environment, to source services from the external market.
- Develops, manages, maintains, and regularly tests security incident-response-plan that ensures all incidents are reported, documented, resolved and recovered.
- Handles any additional duties as directed by the Head of Department/CEO.