Information Security Analyst
Overall Purpose of Job
The Information Security Analyst has an advisory, supporting and assurance role in Group Information Security. They support the Manager in delivery of the Information Security strategy across the business to raise awareness of information security and reduce exposure to information risks. The role will also work closely with the Operational Risk team as well as other stakeholders such as the Cyber Security Manager and Group Legal & Compliance. However, the Analyst should expect to deal with all parts of the business in carrying out the role.
- Maintain the Group Information Security policy framework for the Group ensuring they are up to date and comply with all legal and regulatory requirements.
- Assist with implementing the Group’s GDPR roadmap to achieve compliance by May 2018.
- Assist with managing the Group's compliance with ISO27001 certification - this will include re-certification in mid-2017.
- Assist with information security risk assessments on new systems, changes to existing systems and critical Third Party Suppliers - both existing and newly on boarded.
- Assist with reviewing 1st Line Risk Control Self-Assessments in alignment with the Group Operational Risk team.
- Assist with managing the Group's compliance with PCI-DSS certification.
- In line with Group Operational Risk and Group Technology incident management frameworks, assist with evolving a specific Information Security incident response to any actual or threatened disruption to Group business, including contributing to Business Continuity Management.
- Contribute to developing an Information Security-aware culture, underpinned by clear guidance to staff and proactive training and awareness programmes, in conjunction with Group Learning & Development.
Experience, Knowledge and Skills
A solid understanding of Information Security and Data Protection, gained either through education or relevant work experience, in one or more of the following areas:
- Implementation, operation and maintenance of the Information Security Management System (ISMS) based on the ISO/IEC 27000 series standards.
- Knowledge gained through working in an information security environment. Desire to work on the governance, risk & compliance "end" of the information security and data protection spectrum.
- Experience of compliance with the Data Protection Act and an understanding of what GDPR will require.
- Experience of PCI-DSS compliance.
- Working in a fast paced operational environment requiring a degree of change tolerance.
- Experience in working in teams and being independently motivated to be self-sufficient.
- Having exposure to a broad range of organisational functions and gained some experience in an end-to-end business environment.
- Exposure to some of the following areas would be beneficial:
- A good all-round knowledge of IT systems, platforms, networking technologies.
- Experience with Vulnerability Assessment and Vulnerability Management.
- Information security management qualifications such as CISA, CISM or CISSP.
- Confident, trustworthy with a proven ability to work creatively and analytically in a problem-solving environment.
- Self-motivated - personal drive and enthusiasm to continually improve and provide the best in all situations and able to readily embrace change.
- Clearly demonstrates behaviour and attitude which contributes towards achieving and supporting the company and operational objectives.
- Capability and willingness to accept and adapt to a changing environment and adjust behaviours accordingly, taking account of differing factors, perspective and views
- Confidence to accomplish job requirements and positively welcomes feedback for continuous improvement.
- Aptitude to work within a dynamic environment finding the right balance between effective operational running and best practice implementation of security within a highly technically able environment.