Our clients Governance, Risk and Compliance team supports IT and Business Units to define, implement and maintain an Information Security Management System (ISMS), with the ultimate objective to enable sound and formal risk decision making by the management.
The implementation of a suitable ISMS requires to define an integrated normative and control framework, based on authoritative sources (eg: directives, laws,…), via policies and standards.
The effective operational implementation of these policies and standards must be ensured through a compliance monitoring that measures the degree of conformity and effectiveness.
The final objective being to provide reasonable assurance on the achievement and realization of important security and continuity risk control objectives.
Complementary to these activities, the GRC team is very active in:
- the identification of information security risks on assets/applications, projects and 3rd-parties
- the elaboration and management of the implementation of a flexible strategy to reduce Information Security risks in accordance to the Information Security policies of our client
- the development and implementation of security controls in order to mitigate risks and demonstrate compliance.
To support these activities, our clients Governance, Risk and Compliance team is looking for an Information Security Control and Compliance Officer.
Function Description & Deliverables
As an Information Security Control and Compliance Officer you will carry on the activities listed below:
Develop, Implement and Maintain Information Security Controls (with a special focus on Identity & Access Management -
- In order to ensure that the organization, processes, and assets are managed in accordance with the security policies, and that therefore the risks are controlled:
- Support first-line in the definition and implementation of security controls
- Coordinate and monitor the execution of first-line controls
- Follow-up and report to management and second line of defence the results of first-line controls and status of remediation actions
- Provide advice on improvement of existing security controls.
Contribute to the tasks of GS Information Security Normative Framework:
- Acquire and maintain knowledge of GS information security policies, their evolution and alignment with Authoritative sources, other frameworks and legislation
- Perform gap analysis to ensure that missing elements are integrated when & where relevant in the Information Security Policies by proposing the necessary change requests texts
· Provide a multidimensional compliance view
· Maintain a traceable inventory of changes related to controls and updates in GS normative framework.
Based on a good knowledge of the bank normative framework that you will need to acquire, and particularly, on your own experience:
· Identify impacted assets and processes upon policy & control changes
· Allocate the implementation roles and responsibilities for each security requirement
· Get implementers’ acceptance on the roles and responsibilities allocated to them
Master degree in IT or science or an engineering degree, with a strong IT background or proven equivalent experience / skills in the area.
Fluent speaking and writing
Good speaking and writing
Fluent speaking and writing (mandatory)
Required knowledge / Experience
3-5 years of experience in Information Security and in IT process management.
· 2-5 year experience in IT security technology and processes (good knowledge of Identity & Access Management is a plus);
· Experience in Metrics definition and dashboarding;
· Good knowledge of Excel (pivot tables, formulas) and Access;
· Knowledge of SharePoint (as a user).
· Certifications in ISO27k series, Information Systems Security Professional CISSP, CISA…
· 2 years’ experience in developing and maintaining policies and / or processes (preferably in IT area);
· Experienced with regulatory requirements, ISO/IEC standards (eg: 27001 Information Security Management Standard,…), laws and regulations;
· Coordination of / collaboration with external resources.
· Certified ISO27001 Lead Implementer;
· Knowledge of NIST control framework, PCI Standard, CIS20, SIG;
· Experience in designing and implementing controls;
· Knowledge of GRC Tools such as RSA Archer;
· Project Management/coordination skills (Ability to run projects mostly intra-team).
· 2-5 years’ experience in IT, Information Security environments;
· Capability to quickly understand end-to-end process flows and control needs;
· Experience in drafting memos and reports addressed to senior management level.
· Preference will be given to candidate that have a good knowledge / practical experience of different bank entities / processes if possible.
Quick self-starter, pro-active attitude; team player;
Excellent English writing skills;
Good communication and influencing skills; ability to capture and adapt to stakeholder expectations;
Good analytical and synthesis skills, ability to produce structured and concise documents;
Autonomy, commitment and perseverance in personal organization;
Ability to work in a dynamic and multi-cultural environment;
Results and time-oriented; high performer