Information Security Project Assurance Lead

via resource
City Of London, London
08 Jul 2017
07 Aug 2017
Contract Type
Full Time

Our client, a well known retail organisation within the UK, are looking for an Information Security Project Assurance Lead with management experience to help ensure that IT projects are delivered securely, protecting client and employee data.

Duties & Responsibilities

  • Responsible for the information security management discipline, ensuring an effective and coordinated set of processes are developed and maintained across all services, suppliers and customers:
    • Ensures the Information / document / content storage, retention and management policies and procedures are maintained and aligned to industry best practice
    • Ensures the benefits of Information security and concept of risks is understood by all colleagues
    • Pro-actively manages security risk assessments and mitigation plans to address risks within agreed timescales, evaluating business impact
    • Provides advice and guidance associated with the planning, design, implementation and improvement of system security taking account of current best practice, legislation and regulation
  • Lead a team of Security Analysts engaged in delivering End to End Project Assurance i.e.:
    • Manage internal security assurance for internally developed applications within a DevOps environment
    • Scope penetration testing for both internal and external facing applications with external testing providers
    • Manage external resources to ensure that penetration testing is carried out to a suitable standard on time and within budget
    • Responsible for ensuring that vulnerabilities identified via internal or external security testing are suitably mitigated and any residual risks are documented and formally accepted
    • Conduct Information Security Risk Assessments using the Information Security Risk Management Process
  • Ensures all projects consider the security implications throughout the project lifecycles:
    • Security risks are identified early on and catered for in the solution design and that the resulting implementation addresses these risks
    • Authorises implementation of procedures to satisfy new access requirements, or provide effective interfaces between users and service providers
    • Works with the internal Legal team to ensure Data protection regulation is supported by all IT systems and processes
  • Reports effectiveness of information security against industry standards and agreed KPI’s, along with Security Incident Response Plans
  • Ensures the specific technical skills required are provided to manage and maintain security
  • Liaises with industry and national bodies (including regulators and auditors) to ensure the appropriateness of the information security function, e.g. PCI compliance

Desired Skills & Experience

  • CISSP or CISM essential; CRISC, CCSP, CEH or equivalent desirable
  • Computer Science degree and/or MSC in Information Security desirable but not essential
  • Working knowledge of different delivery methodologies including Waterfall, Agile and Hybrid. Knowledge and skills to manage Penetration Testing processes and remediation
  • Has a broad knowledge and understanding of IT concepts and architectures including Cloud, BYOD, Mobile Device Management etc.
  • Proactively takes responsibility, owns any issues arising and follows through to resolve them, recognising how individual responsibility impacts team delivery and inspires others to do the same
  • Knowledge of OWASP vulnerabilities, tools and methodologies
  • Demonstrates extensive knowledge of good security practice covering the physical and logical aspects of information products, systems integrity and confidentiality
  • Expert in methods and techniques for risk management, business impact analysis, countermeasures and contingency arrangements relating to the serious disruption of IT services
  • Expert in tools or systems which provides access security control (i.e. prevents unauthorised system access)
  • Strong current knowledge of PCI, DPA and ISO27001