opexxx

CISO_job_description

Mar 26th, 2021 (edited)
124
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.99 KB | None | 0 0
  1. JOB TITLE
  2.  
  3. Information Security Officer -
  4.  
  5.  
  6. GENERAL JOB DESCRIPTION
  7.  
  8. Several advisory services in term of Security Management and Governance are being expected to support the adaptation of the policies, guidelines, for example, covering:
  9. • Risk management.
  10. • Threats and vulnerabilities modeling.
  11. • Attacks path modeling and countermeasures.
  12. • Managerial aspects concerning information security.
  13. • Assessment of information security effectiveness and degrees of control.
  14. • Awareness and Education around security concepts for all stakeholders.
  15. • Standards for information security.
  16. • Reporting (e.g. disaster recovery and business continuity).
  17. • Theoretical and empirical analysis.
  18. • Economic aspects of the cybersecurity ecosystem.
  19. • Capability modeling.
  20. • Liaise with other stakeholders in the project and be the focal point for all cyber security related tasks.
  21. • Build and drive a successful cyber security practice for smart city project based on Industry and International best practices in the constantly evolving cyber threat landscape.
  22.  
  23. Also, should have certification in following:
  24. • Certified Information Security Manager (CISM)
  25. • Certified Information Systems Security Professional (CISSP)
  26. • COBIT or ISO 38500 IT Corporate Governance Manager
  27. • Information Technology Infrastructure Library (ITIL)
  28. • ISO/IEC 27001: 2013 Lead Auditor
  29. • Certified Ethical Hacker
  30. • Microsoft Certified Professional
  31. DUTIES & RESPONSIBILITIES
  32.  
  33. The Compliance and Audit activity provides the key elements that include:
  34. • Review existing governance models, structure, and process: Review documentation, capture existing practices, conduct interviews, draw the current landscape, and define the baseline for the engagement activity.
  35. • Define the targeted level of maturity on the governance level.
  36. • Perform Gap Analysis: Analyze current organizational governance structures with well-defined industry frameworks, standards, and models – identify opportunities to strengthen existing methods and structures and/or replace them with new and improved methods.
  37. • Define Governance Operating Model: Identifies governance structure inconsistencies, overlaps, and gaps among governance mechanisms and maps current governance processes and structures.
  38. • Plan of Action deliverables: Provides a set of deliverables that provide visibility and insights into the engagement activities, current landscape, achievable target state (i.e., desired state to accomplish), prioritized set of actions with milestones, to lead towards the target state to enhance and strengthen the security framework.
  39.  
  40.  
  41. Policy enablement:
  42. • Enable security policies on key aspects such as Digital identification, Global Security, Information Classification, IoT Security, and Organization Governance to improve security based on the emergence of new threats, new technological trends, and national/international regulatory framework evolution.
  43. • Ensure that policies are applied on use case and IoT services definition.
  44. • Collaborate with Microsoft on the definition of Cloud-based Security Control Framework to ensure and ease the sharing, compliance, and application of policies as well as the follow-up of the adoption of those policies by all ecosystem's stakeholders.
  45.  
  46. Awareness:
  47. The objective of the Awareness activity is to provide training and awareness sessions on information security to operators/key personnel. This awareness program shall be based on policies, standards, procedures, and best practices previously defined as well as performed in a risk-centric approach to enable operators to understand the stakes/challenges of cybersecurity within the program's context.
  48. The Awareness program should be conducted as an on-going program to ensure that training and knowledge are not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis.
  49.  
  50. • Assemble the Security Awareness Team
  51. • Determine Roles for Security Awareness
  52. • Identify levels of responsibility (Management, specific roles, and all other personnel)
  53. • Establish Minimum Security Awareness and the depth of the security awareness training required for each stakeholder
  54. • Determine the content of training and applicability
  55.  
  56. Risk Management:
  57. The Risk Management activity is including risk identification, analysis, and control. In the frame of security operations phases, the following actions are needed:
  58.  
  59. • Review and refresh the Risk register
  60. • Identify points of Risk Acceptance and ownership
  61. • Identify paths of Risk Escalation
  62. • Establish Risk Appetite
  63. • Identify, Analyze & Document
  64.  
  65. The improvements and modernization will provide benefit by:
  66. • Providing guidelines for governance security and privacy
  67. • Provide a mapping between client controls and industry standards
  68. • Ensure that an organization's security policy continues to meet the changing and evolving needs of the underlying business.
  69. • Maintain on-going situational awareness of the security state of an organization's network, information systems, and the environments in which those systems operate.
  70.  
  71. Privacy:
  72. • Extended knowledge with regulatory contexts such as GDPR, HIPAA, FFIEC, PCI, CJIS, etc. and mapping services with respect to protecting the information (integrity, confidentiality and availability) in accordance with these frameworks and with the policies enforced within the ecosystem (i.e. Information Classification Policy).
  73. • GDPR knowledge provides a complete approach to compliance, ensuring smooth adoption, and minimizing any future breach risk. Services are broad in scope and cover everything from the initial impact assessment to guidance in the appointment of a Data Protectioln Officer.
  74. • The Privacy related activities shall be conducted in agreement with incident management and response activities to be able to identify unauthorized presence before data leaks, apply protective measures and in the worst case, identify and retrieve the data leaked (DLP related controls)
Add Comment
Please, Sign In to add comment