Information Security Manager

Information Security Manager (Job descriptions)

General Information

Position

Information Security Manager (Job descriptions)

Department

Administrative manager

CIO

Functional manager (dotted reporting line)

CISO

Description

(Summary of key job focus, tasks, requirements)

The ISM is responsible for establishing and maintaining an information security program to ensure that information assets of companies under his/her responsibility are adequately protected. This position is responsible for identifying, evaluating, managing and reporting on information security risks, technological, process and software weaknesses in IT infrastructure and landscape as well as in the area of information security in a manner that meets compliance and regulatory requirements, and aligns with and supports the risk posture of the enterprise. This position is responsible for running necessary information security tools, projects and activities, develop necessary documents and regulations, actively participate in BCP&DRP activities, information security incidents handling and etc.
The ISM position requires an information security expert with sound experience in IT and information security including access management, network security, change management, program development and vulnerability management, back-up and recovery, cloud security. The position requires project management, technical background i.e. information security technologies with business-oriented mindset. The ISM will proactively work with IT and other business units to implement practices that meet defined policies and standards for information security. He or she will also manage and conduct a variety of IT-related risk mitigation activities.
The ISM coordinates the IT organization's technical activities to implement and manage security infrastructure, and to provide regular status and service-level reports to management. The ISM must be able to clearly deliver areal information security context both technical, legal, organizational, and etc. to his manager and CISO.
The ISM serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information in compliance with the organization's information security policies. A key element of the ISM's role is coordinating with CISO to meet business expectations. The ISM must be highly knowledgeable about information systems are maintained in a fully functional, secure mode.
Expertise in leading project teams and developing and managing projects is essential for success in this role. Other project management tasks will include resource balancing across multiple IT and security teams, task prioritizing and project reporting.
ISM is expected to communicate with highly technical staff as they work to accomplish company and personal development goals and must, therefore, have proven technical skills. Documentation and presentation skills, analytical and critical thinking skills are key requirements of the ISM's position.

Roles and responsibilities

Responsibilities (describe)

The ISM's job is composed of a variety of activities, including very tactical, operational activities in support of the ISM's program initiatives, such as:
➢ Information security program
➢ Security liaison
➢ Architecture/engineering support
➢ Operational tasks
Information security program
➢ Develop, customize as per areal specific, seek for approval from CISO, implement and monitor information security program to ensure that the integrity, confidentiality and availability of information meets business requirements. Track the program implementation performance provide regular reporting on the current status of the information security program to manager and CISO. Report to CISO any deviations from the program implementation plan;
➢ Identify critical IT-assets. Conduct periodic IT risk management activities in accordance with Softline’s global IT risk management methodology;
➢ Manage and improve enterprise's information security organization via policies, procedures, standards, rising up to CISO issues that are not properly addressed locally.
➢ Facilitate information security governance and management through making sure Softline’s guiding documents in the area of information security are followed, requests from CISO are properly addressed locally in a timely manner with expected result.
➢ Be the person responsible for information security certification and certificates maintenance (i.e ISO 27kX, PCI DSS, and etc.).
➢ Manage (develop, maintain and publish up-to-date) information security policies, standards and guidelines. Conduct trainings for employees based on information security policies and practices.
➢ Develop, seek for approval by CISO and direct manager, communicate and track implementation performance of information security technical standards for example in the areas of remote access, cloud security.
➢ Develop, seek for approval and manage information security budgets. Monitor and report them for variances.
➢ Meet KPIs defined by manager and CISO.
➢ Develop and enhance an information security management framework based on the National Information Assurance Policy
Architecture/engineering support
➢ Liaise with the enterprise IT architecture team to ensure alignment between the security and IT architectures.
➢ Develop and agree with the IT information security architecture. Make sure information security tools and controls meet business requirements.
➢ liaise with IT management to align existing technical installed base and skills with future architectural requirements.
➢ Recommend and coordinate the implementation of technical controls to support and enforce defined security policies.
➢ Research, evaluate, design, test, recommend or plan the implementation of new or updated information security tool or controls; provide technical and managerial expertise for the administration of security tools.
Security liaison
➢ Liaise among the information security team and corporate compliance, audit, legal and HR management teams as required to minimize penalties and claims from Governmental agencies. Ensure that security programs comply with relevant laws, regulations and policies to minimize or eliminate risk and audit findings.
➢ Liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure that the organization maintains a strong security posture.
➢ Assist resource owners and IT staff in understanding and responding to security audit failures reported by auditors.
Operational tasks
➢ Own and run information security controls for all domains in accordance with well-known standards (for example ISO 27kX, NIST, PCI DSS and etc.)
➢ Participate in external audits, information security assessments, penetration test and etc. make sure audits gain full understating about information security controls in place and that auditors provide relevant findings.
➢ Conduct implementation of modern security tools.
➢ Improve user awareness.
➢ Manage BCP&DRP (plans development, testing, training).
➢ Conduct re-reviews of IT and non-IT projects to ensure that security is factored into the evaluation, selection, installation and configuration of solutions, hardware, software, applications and processes.
➢ Conduct information security incidents management and reporting. Maintain information security incidents database. Ensuring timely reporting and adequate participation in investigation for ICT security incidents, with Q-CERT and / or Law Enforcement agencies as applicable.
➢ Conduct internal audits and investigations in the area of IT and information security including those with the use of specific tools: nmap, Rapid7, Quails, MS ATA, MS ATP, Virus protection i.e. MS Defender, Nessus, Wireshark and etc.
➢ Vulnerability management. Recommend treatment plans and communicate information about residual risk;
➢ Handle alerts from security tools line MS Defender online, Sentinel, MS Azure embedded security alerting functions;
➢ Maintain an information security knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations.
➢ Monitor the external threat environment for emerging threats, advise direct manager and CISO on the appropriate courses of action.
➢ Ensure necessary security tools implemented in accordance with global projects and guidelines.