Information Security Officer at Liberty Life

Main Purpose

To implement a comprehensive Information Technology security program with the Information Technology lines of business to protect their applications and supporting infrastructure from both internal and external threats, manage threats and incidents when these materialize, ensure compliance with regulatory requirements regarding Information Technology security, ensure the appropriate use of assets and educate employees about their Information Technology security responsibilities.

Key Responsibilities

Work with IT partners to provide IT Security Advisory services and guidance by:

• Developing and maintaining relationships with key stakeholders to further embed the partnership that exists between IT Security, IT and the business.
• Research and maintain knowledge of the IT threat landscape, security trends, regulatory requirements, new technologies and best practices in order to provide sensible and pragmatic security advice to stakeholders.
• Facilitate the adoption of IT Security solutions e.g. privilege user management or access management processes and services e.g. IT Security engineering and penetration tests across the application and infrastructure landscape.
• Provide adequate IT Security input into all features and other technology solutions; this includes the requirements for the evaluation, selection, installation, configuration and maintenance of hardware, applications and software.
• Develop an effective line of business IT Security strategy that supports and enables business strategy.
• Advise IT business partners on regulatory and/or legal requirements as it relates to securing of data as well as assist with the implementation of the controls to support these requirements.
• Establish relevant metrics and management information to facilitate reporting and decision making.
• Act as a single point of contact for IT security risks, incidents and controls within the business units.

Identify, Assess and Remediate Technology and IT Security risks by:

• Developing a security assessment schedule across the respective lines of business / business units.
• Conduct reviews of applications, systems, underlying infrastructure and related processes as per the schedule.
• Establish and maintain risk profiles for business units by facilitating the implementation and ongoing management of general control reviews.
• Collaborate threat intelligence, cyber security, security engineering and other risk functions to develop and maintain a holistic security strategy and remediation plans.
• Collaborate with feature teams, product owners, architecture, IT, business, vendors and other stakeholders to investigate risk remediation controls.
• Assist in documenting and tracking security findings into a formal risk register. Provide the necessary information to support any deviation to IT Security policies and standards.
• Facilitate the use of secure architectural patterns and work with the security engineers to translate these patterns into line of business secure builds.
• Embed the use of self-service and automated security testing into the DevOps/Software Development Lifecycle.
• Facilitate continuous technical system reviews by working with the Business Systems Team and assist business with interpretation and implementation of required controls.
• Establish relevant metrics and produce risk reports for stakeholders highlighting key risks, threats, incidents progress and status to assist in decision making.
• Participate in IT Security incident response planning and investigation of security breaches and assis with disciplinary and legal matters associated with such breaches as necessary

Assist with implementation of IT Security Policies, Standards and Guidelines by:

• Participating in the development of new and the annual review of existing IT Security Policies, Standards and Guidelines by providing input to enhance the quality and completeness of these documents.
• Communicate the requirements for compliance to the IT Security Policies, Standards and Guidelines to the relevant parties within IT.
• Identify areas of non-compliance to IT Security Policies and Standards within IT.
• Alert the responsible parties in IT where there is non-compliance to IT Security Policies and Standards and work with them to identify and recommend practical and feasible remediation plans and technical solutions.
• Report on the level of compliance and progress towards achieving compliance to IT Security Policies,Standards and Guidelines to the IT business partners.

Create culture and awareness of IT Security good practices by:

• Develop an awareness and training plan for the line of business that is fit for purpose, aligned with strategy and considers a range of risk data points e.g. audit findings, risk and control self-assessments, IT Security risk assessments, emerging threats and risks, and incidents.

Qualifications

• Degree in Computer Science or equivalent
• Compulsory - CISSP (Certified Information Systems Security Professional)
• Advantageous - CISM (Certified Information Security Manager)

Experience

• 5 - 10 years’ experience in a similar environment, of which 3 - 6 years at Technical Level

Competencies

• The ability to assess and mitigate the risks associated with the storage and retrieval of electronic information.
• Ability to examine essential elements of risk such as; assets, threats, vulnerabilities, safeguards, consequences and the likelihood of the threats materialising.
• The ability to define and analyse risk identification information in a quantitative and/or qualitative way.
• The ability to manage, and provide expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems.
• The ability to independently conduct third-party assessment of the conformity of any activity, process, deliverable, product or service with the criteria of specified standards, best practice or other documented requirements with regards to network security tools, firewalls and Internet security.
• Business Continuity planning
• IT Security and Security appliances
• Understands main business drivers in order to impact on decision making and get things done
• Has a clear understanding of the business implications of each decision made. Shows the ability to focus on the bottom line. Understands the market and is aware of competitors’ activities. Usually aligns actions with the organisation’s strategic goals.
• Encourages new ideas and change by challenging the status quo and being open to new possibilities.
• Knowledge and understanding of the external and internal environment (global marketplace experience, developments and trends related to the IT function.
• Has detailed understanding of relevant policies and procedures and interprets these according to operational circumstances to ensure compliance. Understands the business context sufficiently to recommend improvements and modifications to existing policy.
• Has a deep knowledge of IT solutions and their short- and long-term benefits and is able to make a business case for large IT initiatives to improve overall performance.
• Cooperates with others to accomplish common goals; works with employees within and across his or her department to achieve shared goals; values the contributions of others.