Senior Infrastructure Security and Governance Manager
The successful candidate will maintain ownership of and oversee the operations of the Infrastructuresecurity and IT Security governance program. They will partner with other IT staff; business leaders and teams in support of various key program components, including: security policies and procedures; business continuity planning; disaster recovery planning; data security governance. Additionally, he/she will be responsible for all aspects of information systems security training and awareness program. The candidate will build and maintain the security policies, security procedures, business continuity and disaster recovery plans. They will work in concert with communications staff within the Align corporate environments to effectively socialize, safe and secure computing practices and procedures as well as requiredsecurity operations compliance related information security and privacy responsibilities. This is a hands-on role.
Duties & Key Responsibilities
- Evolve and maintain Align’s risk based Information Security Policy framework and process, which includes the Information Security Policy and Information Security Standard aligned to the ISO 27000 series of standards, and Technical Build Standards (hardening guides);
- Create and maintain mapping between Risks, the Information Security Policy Framework, and Technical and Administrative security controls;
- Assist in implementing, executing and maintaining annual control effectiveness assessments;
- Define and maintain the secure coding standard in conjunction with the Security Architect;
- Define, maintain and execute the processes for maintaining and reviewing the relevant Information Security Policy framework and related Standard documents within Align;
- Develop, maintain and evolve the security controls repository (current state catalogue for securityarchitecture);
- Creatively identifies and coordinates with the communications team training and awareness opportunities to help ensure appropriate and effective communication of information security policies, standards, and procedures.
- Partnering with Corporate Communication and various IT and R&D organizations to conduct and manage an ongoing company-wide phishing program.
- Communicates information protection risks and issues to all levels of management including security issue identification, escalation and resolution.
- Work with IT and R&D teams to analyze securityrisk likelihood and impact to determine training and awareness initiatives and plans for execution.
- Synthesizes and communicates to effectively show relationship between safe computing practices and actual risk posture.
- Stays up to date on the direction of emerging security issues and assess the need for out-of-cycle, and other out-of-band, communications with employees and contract personnel.
- Responsible for overseeing securityeducation and compliance training in support of HIPPA, PCI and applicable regulatory requirements
- Identifies, evaluates, conducts and/coordinates, schedules and leads information security training and awareness functions leading to the adoption of key security behaviors and actions by employees and contractors.
- Development, implementation and maintenance of the enterprise’s securityeducation, training and awareness program;
- Work with both IT and business leaders to develop and regularly test the company’s Business Continuity Plan and Disaster Recovery Plan;
- Bachelor’s degree in computer science or a related discipline, or equivalent years of experience; Juris Doctor (preferred)
- 12+ years of experience in the information security field highly desirable.
Skills and Experience
- Broad experience in the field of technology and at least five to ten years’ experience in information security, preferably in the field of maintaining information security policies and standards;
- Strong knowledge of the ISO 27000 series of information security standards and other related industry best-practice standards;
- Focus on quality and attention to detail;
- Strong analytical skills coupled with the ability to understand complex and sometimes conflicting securitydrivers;
- A self-starter, with strong personal discipline and effective time management that is capable of setting and achieving challenging personal targets.
- Excellent time, resource, and project management skills in order to manage multiple parallel engagements with conflicting priorities to successful completion;
- Excellent written and verbal influencing and communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk related concepts to both technical and non-technical audiences;
- Ability to work remotely across multiple geographical borders and timelines; and
- Considerable experience of dealing with the most senior business and IT people in an organisation and major IT suppliers at an operational and management level.
- Certified Information Systems Security Professional (ISC2 CISSP); or
- Certified Information Security Manager (ISACA CISM).
Key skills and experience required:
- Critical thinking and thorough analysis
- Extensive experience in monitoring data protection and cybersecurityobligations
- Proven experience in Information Security Policy development and risk management, preferably in a global organization
- Understanding of risk management and effective Information Security strategy, practices, technologies and controls frameworks
- Experience working with External Auditors to ensure effectiveness of security policy and governance
- Ability to translate complex security communications / messages in a simple, clear and concise manner to the various communities within our organization. This can include different cultures, nationalities, international locations and languages.
- Display practical knowledge of different message distribution techniques to ensure end user communities understand and continually apply the required behavioral change necessary to reduce human risk.
- Ability to communicate with and coordinate the activities of others.
- Understanding of the concepts of information risks and the different elements that make up risk. In addition, have at a minimum a basic understanding of the different concepts of information security.
Job ID P136452