Data Security Governance Officer - Financial Services - London
A Data Security Governance Officer is required to join the newly created CIB Data & Information Security Team.
The role will focus on ensuring data security workflows, steering and reporting are run in a timely manner to provide appropriate management information and decision making, whilst monitoring key data security projects and guarantying delivery by internal partners (production security, other CIB Development, Support or Security teams).
Data and Information have been put at the heart of the new Cyber Security Model. This is an exciting opportunity to work with interesting new security challenges in an environment with many different teams, platforms and applications.
The role encompasses a number of activities & responsibilities:
- To organise and manage data security steering meetings with IT and Business. This will include representation of data security in key committees but also the preparation of dedicated steering to ensure appropriate oversight and decision making by stakeholders.
- To drive, track, and assist data security remediation plans stemming from risk analysis, regulatory or audit requirements. The role plays a vital part in ensuring that any delay or unacceptable risk is escalated in a timely manner at the appropriate level of IT / Business management and to second line of defence.
- To monitor key data security workflows such as Data Protection in Non Production (DPNP). The role will see that these workflows run by other teams achieve their objectives in terms of data protection and participate directly in the validation process by seeking appropriate approvers, risks reviewers with or outside the team.
- To promote and support data security in other security, business and second line of defence committees.
- To provide security expertise on regulatory requirements, with a focus on EU GDPR Regulation. This role will ensure that data security requirements related to regulations are understood, that appropriate protection strategies are defined and being implemented.
- To provide guidance on security strategy and tools / technologies, monitor Proof of Concepts and implementations by other security teams. More specifically, partnerships with application and production security teams must deliver strategies and tools to maintain appropriate level of integrity, availability, confidentiality and proof where needed.
- To strengthen Business awareness of all risks associated to their data. To ensure that information collected or produced by the team is synthesised and presented at appropriate level to satisfy conduct / senior management regime requirements.
- To maintain an up to date view of all remediation plans status and produce appropriate KPIs and KRIs, to be fed to CIB, IT and Group
- Excellent understanding of ISO IT Security best practices and frameworks, such as ISO 270001
- Awareness of main NIST and FFIEC standards and guidelines
- Strong technical skills required to understand security best practices and technologies in detail and how to use them in the most effective manner to achieve high standards of security risk protection and mitigation
- Good understanding of IT best practices, from development to production and security
- Understanding of security risk standards, such as ISO 3100/27001/27005
- Well-developed written communication skills with the ability to summarise key issues, conclusions and recommendations. Target audiences will include regulatory authorities, internal/external auditors and senior business stakeholders
- CISM, CISSP or equivalent certification
- The candidate will be a forward thinking individual with the ability to look beyond immediate problems and issues, but with a solid practical delivery focus.
- Highly skilled and able to demonstrate value to the security and risk communities at a practical level, working alongside analysts, security, application and business staff on a collaborative basis
- The ability to manage independent responsibilities and projects while working closely with the security, IT and business communities; the candidate must be well organised, self-motivating and a good communicator
- Able to communicate effectively across a wide range of seniorities from entry level developer to senior management.
- Approachable and willing to share their expertise and experience in order to assist the development of teams and individuals
- Exposure to COBIT 5 or ISO 38500 framework
- Exposure to NIST SP 800-30, ISACA IT Risk framework or equivalent
- Experience of specific security products and technologies: RSA Archer, MS SharePoint Portals, Atlassian JIRA