Summary:

The candidate will be in the team of the Companies information security office. Information security team communicates directly and regularly with the Information Security Officer (ISO) and may be the Region and Group Information Security Officer or a member of the Information Security Core Group. The information security risk and analyst must meet their responsibilities which include: Perform local Information Security risk management including 3rd party and consumed IT services and identify weak controls.

Key Responsibilities:

- Perform and consult Business Owner and stakeholders as the Subject Matter Expert for all risks assessments related including Cloud IT Risk Assessment for consumed cloud-services, 3rd Party/Outsourcing Security Risk Assessment, Application Risk Assessment

- Support the Information Risk Owners to systematically identify, assess, monitor and steer Information Security Risks

- Identify weak controls and create, align, and monitor plans to close control weaknesses

- Monitor Information Security risks along the Information Security Risk Management (ISRM) framework in accordance with the overall Information Risk Management Process

- Manage, track, and supervise closure of opened risk or appropriate extension of risk acceptances

- Escalate systematic control shortcoming to ISO, Group and service provider

- Ensure including analyze and assess that security Service Level Agreements including controls are defined and monitored for application, used IT services, or IT services provided to other related Company

- Develop information security risk culture and awareness of local stakeholders

- Review the financial quantification of Cyber Risk and cooperate with Company Top Risk Assessment process

- Align and adopt the Cyber Risk Management strategy

- Ensure communication of applicable corporate rules and Information Security relevant information regularly

- Ensure implementation of Information Security related requirements deriving from Corporate Rules

- Other security related matters upon assignments

- In respect to these responsibilities the information security team must have a local reporting line (e.g. by regular information meetings, reports) to the ISO

Technical Skills:

• Statistical report and systematic thinking
• Technical & professional skills and qualities
• Knowledge and skills in the areas of risk and information systems control
• Knowledge and skills in the areas of application development and programming languages, Security Software Development Framework, and DevSecOps
• Knowledge and skills in the areas of cloud services and cloud security framework

General Skills:

• Project planning and monitoring
• Consulting Skills
• Good English communication skills are required

Required Experience:

• Professional experience in Information Security field for 5 - 8 years
• ISO27001 / NIST Framework

Required Education / Certifications

• CISM (Certified Information Security Manager) or CRISC (Certified in Risk and Information Systems Control) is an advantage