Information Security Lead

Job duties / Role:

1. Information Security Management

• Assist CISO in implementation and management of entire ISMS life cycle
• Responsible for development, Periodic review, control and management of ISMS policies and procedure
• Monitor the adequacy of operational procedures, policies and process, create and monitor compliance
• Coordinate the Organizations ISO 27001:2013 recertification and SOC2 attestation process in terms of Planning, Coordination with Business owners and stakeholders and scheduling Audit meetings, Audit execution and Closure.
• Ensure compliance at an organizational level, achieved through identifying the applicable requirements which in the case of Quinnox are the ISO 27001 standard, Customer Contractual Security obligations and defined internal policies and procedures.
• Monitor performance of GDPR controls and respond to the quarterly compliance checklist.
• Ensure GDPR Data Processing Impact assessments are carried out periodically and gaps are addressed
• Plan and conduct the annual Management Review meeting. Demonstrate the performance of ISMS through the year and seek feedback / advice from the Leadership Council.
• Review and respond to risk assessment questionnaire by our clients
• Review MSA Security clauses of the existing clients and prospects
• Participate in POC of new security tools and implementation

2. Information Security Risk Management

• Carrying out Organization Wide Information Security Risk Management exercise on an Annual Basis to Quantify the Risks associated with the Information Assets and accordingly devise the Risk Mitigation strategies.
• Developing and Maintaining Risk Registers of all the Projects/Support Functions.
• Creating a Risk Summary report for the executive management.

3. Technical Vulnerability Management

• Monitor and review anti-virus and patch report across all endpoints and ensure that all endpoints are up-to-date with latest AV patches.
• Ensure SIEM and DLP alerts are monitored and corrective actions taken to address potential threats
• Ensure monthly scanning of infrastructure is carried out and vulnerabilities are remediated in time
• Defining the Scope of external VAPT and facilitating the VAPT vendor personnel with the requisite information.
• Facilitate the external VAPT exercise at org level, reviewing the VAPT findings for verifying the authenticity of the reported observations and ensure timely mitigation.

4. Audit Management:

• Act as point of contact for all external audits of ITIM to define scope and parties necessary to participate. Act as a repository of audit data to prevent duplication of audited processes
• Based on known annual audits, develop a schedule for audits which allows for distribution of audits throughout the course of the year
• Plan, schedule and execute internal ISMS audits twice a year
• Record the audit findings and track the closure of NC after following up with the concerned departments
• Summarize the audit findings and associated CAPA to include in steering committee meetings.
• Act as point contact during external audits and ensure smooth execution through careful planning ahead of time.

5. Change Management; Incident Management; ISMS Document Control:

• Ensure that all changes to critical infrastructure takes place through appropriate change control
• Reviewing change records for appropriateness and ensure that all they are filled in with the correct and relevant information by the responsible teams. Approve or reject changes in line with our change control policy
• Work and Incident Response Coordinator who, in consultation of IT head/CISO will be responsible for timely escalation and reporting of security incidents.
• Reviewing incident records for appropriateness and ensure that RCA and corrective actions are captured appropriately.
• Ensure all Incidents and security events are reviewed on an ongoing basis and appropriate corrective measures taken to remediate the issues.
• Maintaining, tracking and updating Change and Incident records (Record Management).
• Control of ISMS Documents and Records

6. Information Security Training & Awareness:

• Ensure dissemination of knowledge on our ISMS policies and procedures through awareness campaigns. Ensure the ISMS training compliance across all locations. Publishing security updates through newsletters on a periodic and ongoing basis.

7. Business Continuity:

• Perform business impact analysis, risk assessment, mitigation plans / recovery strategies and BCP testing for the companys critical business processes, operations and the technology that supports them.
• Ensure BCP tests, DR Drills conducted as per schedule
• Conduct BCP training to the crisis response team and project managers at least once a year
• Identify single point of failures through risk assessment and propose controls

Competencies/Skills required:

Must have managed Information Security in a medium / large size organization. Should be well versed with all aspects of Information security and risk management.

Could have worked as an information security consultant in any of the consultancy service provider firms.

Qualifications and Education Requirements:

Minimum education – Bachelor of Engineering

Certifications such as CISSP, ISO 27001 (ISMS) Implementer / Lead Auditor, CISA, CISM will be an added advantage.

Additional Notes:

Ideal candidate for this position would be one who has completed an entire lifecycle of Information Security Management System in a medium or large organization.

Thank You,

Rajashri