Information Security Manager
- 15 July 2021
Job title: Information Security Manager
Contract: Permanent, Part-time (Flexible on number of hours, to be discussed with candidate)
Team: IT Team
Reports to: Head of IT
Budget responsibility: Infosec training; external security consultants
Location: Bath or Remote (UK based only)
Please note, this position is only open to applicants who have the right to work in the UK.
The ORX Information Security Manager is the focal point for information security at ORX, driving and overseeing company-wide Infosec risk management. Providing some independence from the IT operations and security practitioners and 3rd parties, this role provides confidence to the Executive team, Board Audit, Risk and Quality Committee and the Board that infosec risk is well managed.
ORX helps the global financial services industry measure and manage operational risk. We research, improve understanding and share knowledge to benefit our members and the wider sector.
We're a dynamic, fast-growing, international industry association with a membership of over 100 leading banks and insurers from more than 20 countries. We are continuing to grow our membership and range of services in 2021.
Main duties and responsibilities
Infosec strategy and improvement programme:
- Maintain and manage the over-arching information security strategy, specific strategies and a programme of enhancements
- Communicate infosec goals and change activities to the wider business to ensure engagement and success
- Build and enhance a partnering relationship with other business areas and external stakeholders
- Ensure sufficient understanding of ORX’s business objectives to assess the impact of change and advise accordingly
- Drive general alignment with ISO27001 principles for the management of our most confidential data
Policies and procedures:
- Maintain InfoSec policies and procedures in line with risk appetite and good practice
Infosec risk management, governance and reporting:
- Run periodic internal risk assessments with representatives from all areas of the business
- Maintain internal risk and control register, with general alignment to ISO27001 where in scope
- Log all operational incidents, agreeing and following up on remedial activities
- Keep appropriate records and provide periodic business reports to the Executive Team and Board Audit, Risk and Quality Committee
- Business continuity planning and business incident tests (including disaster and phishing tests)
Subject matter expertise & continuous improvement:
- Maintain awareness of the relevant regulation and legislation, e.g. ISO27001, ISO9001 standards (and other information governance standards)
- Maintain awareness of a broad range of technologies including common vulnerabilities and exploits, with a comprehensive knowledge of security controls
- Be proactively aware of what ORX member firms will expect from ORX services
- Support the implementation of new/improved controls to strength the information security environment
Communicating, training and awareness:
- Provide advice and input on the risk aspects of all ORX change activity to ensure it has been considered and is taken into account appropriately
- Define and run information security awareness and training for all staff and provide introductory training for all new staff
- Manage reviews/audits requested by ORX member organisations (and prospective members), managing and addressing any resultant findings
- Manage and maintain a bank of expert security consultants and the associated budget
- Review the internal control environment regularly to identify weaknesses or gaps in line with industry control standards
- Develop and manage third party supplier security monitoring framework
- Identify and challenge behaviours or activities that contravene risk policies and procedures
Skills, knowledge and experience
- Right to work in the UK
- Degree in Technology, Security, Information Governance or related field and / or validated experience which shows an ability to operate effectively
- Professional security qualifications and certifications such as CISSP, CISM, CISA, ISMS RM, CIS RM, ISO27001 or equivalent experience
- Knowledge of infosec security, risk and control frameworks such as ISO 27001, 9001, CobiT and ITIL
- Good knowledge of the latest trends in information security and risk management, e.g. evolving technologies, Cyber risk mitigation, etc.
- Demonstrable high degree of initiative and drive to get things done
- Excellent communication skills and numeracy
- Handle confidential material with highest discretion
- Work autonomously and pro-actively
- Self-motivated and highly organised
- Able to cope under pressure and prioritise tasks
- Understanding when to escalate issues so that they are handled appropriately within the agreed policies and procedures
- Good relationship management skills with ability to build strong professional relationships with 3rd party suppliers
- Experience of data privacy management, including GDPR controls and compliance
- Understanding of information governance requirements for businesses operating in financial services (and in particular in a heavily audited environment/sector)
- Experience of auditing IT environments, either through an internal or external audit role
What we offer in return
- Competitive salary
- Flexible working to support a healthy work/life balance
- Bonus scheme
- Eight per cent company contribution to pension
- Employee recognition scheme
- Support for training and development
- Twenty-five days holiday a year, increasing by one day for each year of service to a maximum of 28 days
- Interest-free rail season ticket loan
- Life assurance
- Health cash plan
- Cycle to work scheme
- Perks at work scheme
- Employee assistance programme
- Holiday trading
- Sabbaticals and long service awards
- Summer and Xmas social events
- Inclusive and supportive working environment
What else do you need to know?
We are an equal opportunity employer. We create an environment where everyone has an equal chance to succeed, during our recruitment phase and through their career at ORX.
At ORX, we work hard while recognising the importance of the well-being and work-life balance of our staff. This is reflected in our culture and in our approach to flexible working.
As we manage and have control of highly confidential data, the successful candidate will have to make specific commitments in this regard and will be subject to background checks.
To apply send your CV and a covering letter to [email protected]. In the body of the email, please confirm what your salary expectations are.