Information Security Officer (BISO) (13308)
Sector: Security Operations
Reports to: Head of Information Security
Preferred Certifications: CISSP, CISM, CCSP, or equivalent
The information Security officer will ensure the organisations central functions of are within the defined security risk appetite, by aligning business as usual and change efforts with governance and control frameworks.
Information security officers are the main point of contact for business units on security. Co-ordinating engagement and security risk management with IT, security and testing, internal risk and audit teams. The information security officer will be a trusted advisor for the CIO, and other business leaders, alongside providing expertise and awareness between the security team and central business units.
- Develop and maintain the two-way security/business relationship.
- Provide information security assurance on technology design and business process models.
- Identify security risks, then produce high quality documentation to express and report risks, including recommended solutions, to risk forums.
- Operate, manage, and help improve the bank’s control framework, applying it to the business, and gathering feedback for continuous improvement.
- Develop and maintain security/project relationship, including specific performance indicators, in line with risk appetite.
- Provide subject matter expertise to third party assessments, ensuring that information security, resilience and data privacy risk assessments are undertaken.
- Raise security awareness among staff in line with the company’s security policies and standards.
- Manage relationships with stakeholders, to influence and support the delivery of security services.
- Ensure security and resilience risk tolerances are raised and managed appropriately, in conjunction with the IT risk, security risk, and governance functions.
- Ensure all compliance and governance obligations are followed, including reporting and reviewing actions required by regulators.
- Experience of Information Security and resilience management from analyst to senior level.
- Design, operation, and oversight of standard industry control frameworks such as NIST and ISO27000 series.
- Good understanding of the Data Protection Act 1998 and General Data Protection Regulation.
- Good understanding of regulatory obligations including PCI/DSS, FCA and PRA.
- Experienced in stakeholder engagement and management, who can pragmatically balance information security with business objectives.
- Conversant with technical and governance specialties of information security, risk, audit and compliance
- Familiarity with current security tools, techniques and processes, including experience of implementing tools, processes and training to demonstrate quantifiable security benefits.
- Keeps up to date with developments in the industry, understanding the potential implications of new technology, tactics and methodologies.
- Good understanding of the following: GDPR, PCI DSS, crisis management, DLP, PAM, IDS, IPS, Firewalls, SOC/SIEM, routers, switches, load balancers, cloud environments and virtualisation.
- Experienced of selecting and implementing suitable information security controls.