Business Information Security Officer

About The Position

Requirements

• Management of an Information Security Management System in a complex IT organisation encompassing service delivery, application development and IT infrastructure.
• Completion of Information Security questionnaires as part of RFP responses.
• Line management of team members.
• An excellent understanding of best practice within Information Security and risk management including standards such as ISO 27001.
• A strong understanding of one or more areas or legislation and regulations that impact information Security E.g. GDPR, HIPAA, PCIDSS, CCPA.
• An understanding of current and emerging threats and countermeasures and the product challenges to addressing these threats
• An understanding of Application Security threats and countermeasures
• A good practical knowledge of security technologies and wider business solutions including DevOps, Identity and Access Management, penetration testing tools, remote working and cloud technologies.
• The ability to work within a compliance or regulatory framework and to evidence continuous improvement.
• Excellent communication skills, both written and verbal. Ability to present complex or highly technical issues in simple and easy-to-understand formats.
• An ability to think and plan strategically and systematically while recognising the need to deliver to the business requirements.
• The ability to be pragmatic while balancing the needs of the business against security
• The ability to cut through organisational and political barriers to achieve the overall goal.
• An appropriate degree, equivalent qualification or experience.

Nice To Haves

• One or more of the following qualifications are highly desirable:
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• Certified Information systems Auditor (CISA)
• Achieved Senior or Lead level certification in the NCSC’s Certified Cyber Professional scheme in one or more of Security and Information Risk Advisor (SIRA), IA Architect, IA Auditor, IT Security Officer
• Experience using GRC platforms to define and manage InfoSec policies, prepare for audits and manage risk.
• Experience of tooling to manage RFP responses.
• Perform SAST/DAST scans & Pen Test assessments.
• Experience with automated cloud compliance.

Responsibilities

• Align to Precisely Information Security Management System across the Engage business unit that addresses the needs of Engage, staff, partners, customers, and other external stakeholders in line with relevant legislation and industry standards
• Maintain current SOC 1 & 2 Type II, HIPAA HITECH and ISO 27001 & 27701 certification for Engage software products.
• Maintain documentation and processes necessary to comply with contractual obligations and customer security requirements.
• Implement additional compliance in coordination with Precisely InfoSec Compliance as needed for each software product.
• Maintain robust and fit-for-purpose operational procedures.
• Ensure that the structures and reporting systems are in place to allow the Engage Information Security team to work with the Precisely CISO Office in maintaining the highest standards of quality, legal and regulatory compliance and corporate governance in all areas.
• Provide advice and direction to the Engage Product Management team, on how software products can comply with regulations.
• Propose changes to the Engage Information and Cyber Security systems, processes and procedures by continuously analysing and reviewing appropriate security technologies and practices as informed by Precisely standards.
• Ensure that information and Cyber Security risks to Engage are identified and managed appropriately.
• Use and improve Precisely measures and metrics to support the assessment, reporting and ongoing improvement of the Engage information security posture.
• Work closely with internal stakeholders to keep abreast of planned changes to technologies, working practices, and business activities that could have an impact on Engage’s Information Security or risk profile.
• Maintain the Precisely information assurance framework for Engage, enforcing compliance with policies in conjunction with internal audit.
• Align to Precisely standards and oversee Cloud Governance procedures for all infrastructure running in the cloud.
• Coordinate quarterly DAST scans, annual internal pen testing and annual third-party penetration testing across all Engage products.
• Maintain accurate security scorecards across all products. Work with product teams to prioritise work to improve security score. Communicate security risks to Precisely InfoSec Risk Board and senior leadership.
• Coordinate monthly vulnerability scans for all internal and cloud-hosted infrastructure.
• Achieve high scores in third party cybersecurity ratings including BitSight to maintain brand reputation for Engage assets.
• Maintain accurate inventory of open-source component usage across Engage products. Coordinate legal review for use of components that breach policies.
• Coordinate annual legal review of privacy across Engage products.
• Ensure all Engage products comply with US cryptography export regulations.
• Assist investigations into information security breaches under Precisely Incident Response process with Precisely CyberSecurity Operations Center ensuring root-causes of such breaches are understood and addressed.
• Assist as SME in responding to information security questionnaires during RFP process.
• Write and maintain technical security whitepapers for Engage software products.