Manager - IT Security

About the Role

The Manager - IT Security is responsible for establishing and maintaining a
corporate-wide management program to ensure the information assets are
adequately protected.
This position is responsible for identifying, evaluating, and reporting on
information security, data protection, and data privacy risks in a manner that
meets the operational, compliance, and regulatory requirements, and aligns
with and supports the operations and risk appetite of GEMS Education.
Key Accountabilities:
* Develop, implement, and monitor a comprehensive enterprise information security and data privacy risk management program to ensure that the integrity, confidentiality, and availability of information is owned, controlled, or processed by the organization.
* Facilitate information security and data privacy governance through the implementation of a governance program, including the formation of an information security steering committee or advisory board.
* Develop, maintain, and publish up-to-date information security and data privacy policies, standards, and guidelines. Oversee the approval, training, and dissemination of the policies and practices
* Create, communicate, and implement a risk-based process for vendor risk management, including the assessment and treatment for risks that may result from partners, consultants, and other service providers.
* Develop and manage information security budgets (as assigned by the CIO) and monitor them for variances.
* Create and manage information security and data privacy awareness training programs for all employees, contractors, and approved system users
* Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
* Provide regular reporting on the status of the information security and data privacy program to enterprise risk teams, senior business leaders and the board of directors as part of a strategic enterprise risk management program.
* Create a framework for roles and responsibilities regarding information ownership, classification, accountability, and protection.
* Develop and enhance an information security management framework based on industry best practices, such as International Organization for Standardization (ISO) 2700X, IT IL, COBIT/Risk IT, and the National Institute of Standards and Technology (NIST).
* Liaise with development and operations teams to ensure alignment between the information security, data privacy, infrastructure, and application architectures.
* Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls.
* Liaise with development and operations teams to ensure alignment between the security, infrastructure and application architectures.
* Coordinate information security, data privacy, and risk management projects with resources from the IT organization and business unit teams.
* Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from applicable laws, standards, and regulations. Ensure that security programs follow such laws, regulations, and policies to minimize or eliminate risk and audit findings
* Define and facilitate the information security risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
* Manage IT security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.
* Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action
* Coordinate the use of external resources involved in the information security and data privacy program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
* Develop and oversee effective Business Continuity Management and IT Disaster Recovery policies and standards to align with enterprise business continuity management program goals. Coordinate the development of implementation plans and procedures to ensure that business-critical services are recovered in the event of a security event. Provide direction, support and in-house consulting in these areas.
* Liaise with Legal team to review new and existing 3rd party contracts to ensure information security/data privacy requirement incorporation.
* Ensure implementation and regular review of technical information security and data privacy measures to protect corporate IT assets, sensitive information, and personal data.
* Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of the security.
* Ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.
Qualifications, Experience & Skills:
* Minimum of a Bachelor's degree in Science (BS), Degree in Information Security, Computer Science, Engineering, or a related technical degree. A Master's degree is preferable.
* Minimum of ‎5 years of work experience in Information Technology Security
* Knowledge of common information security management frameworks, such as ISO/IEC ‎27001, ITIL, COBIT, and NIST.
* Strong understanding of risk management framework.
About Your Benefits
An attractive remuneration package is on offer to the successful candidate
including tax-free salary, medical cover, tuition fee concessions, annual
leave, and end-of-service benefits.