• Develop information security plans aligned with business goals and objectives.
• Identify current and potential legal and regulatory requirements affecting information security.
• Identify drivers affecting the company (e.g., technology, business environment, risk tolerance, geographic location) and their impact on information security.
• Obtain senior management commitment to information security.
• Define roles and responsibilities for information security throughout the company.
• Establish internal and external reporting and communication channels that support information security.
• Establish a process for information asset classification and ownership.
• Implement a systemic and structured information risk assessment process.
• Ensure that business impact assessments are conducted periodically.
• Ensure that threat and vulnerability evaluations are performed on an ongoing basis.
• Identify and periodically evaluate information security controls and countermeasures to mitigate risk to acceptable levels.
• Integrate risk, threat and vulnerability identification and management into life cycle processes (e.g., procurement).
• Report significant changes in information risk to appropriate levels of management for acceptance on both a periodic and an event-driven basis.
• Develop and maintain plans to implement the information security strategy.
• Ensure alignment between the information security program and other assurance functions (e.g., physical, human resources, quality, IT).
• Identify internal and external resources (e.g., finances, people, equipment, systems) required to execute the security program.
• Ensure the development of information security architectures (e.g., people, processes, technology).
• Establish, communicate, and maintain information security policies that support the security strategy.
• Design and develop a program for information security awareness, training, and education.
• Ensure the development, communication and maintenance of standards, procedures, and other documentation (e.g., guidelines, baselines, codes of conduct) that support information security policies.
• Integrate information security requirements into the company processes (e.g., change control, mergers, and acquisitions) and life cycle activities (e.g., development, employment, procurement).
• Develop a process to integrate information security controls into contracts (e.g., with joint ventures, outsourced providers, business partners, customers, third parties).
• Establish metrics to evaluate the effectiveness of the information security program.
• Manage internal and external resources (e.g., finances, people, equipment, systems) required to execute the information security program.
• Ensure that processes and procedures are performed in compliance with the companys information security policies and standards.
• Ensure the performance of contractually agreed (e.g., with joint ventures, outsourced providers, business partners, customers, third parties) information security controls.
• Ensure that information security is an integral part of the systems development processes and acquisition processes.
• Ensure that information security is maintained throughout the company’s processes and life cycle activities.
• Provide information security advice and guidance (e.g., risk analysis, control selection) in the company.
• Provide information security awareness, training, and education (e.g., business process owners, users, information technology) to stakeholders.
• Monitor, measure, test and report on the effectiveness and efficiency of information security controls and compliance with information security policies.
• Ensure that noncompliance issues and other variances are resolved in a timely manner.
• Develop and implement processes for preventing, detecting, identifying, analyzing, and responding to information security incidents.
• SPU REFERENCE: RFQ: SPU-CIO-MS-2024-01
• Develop plans to respond to and document information security incidents.
• Establish the capability to investigate information security incidents (e.g., forensics, evidence collection and preservation, log analysis, interviewing).
• Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
• Integrate information security incident response plans with the company disaster recovery and business continuity plan.
• Organize, train, and equip teams to respond to information security incidents.
• Periodically test and refine information security incident response plans.
• Manage the response to information security incidents.
• Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk.

Minimum Qualification

• Relevant Degree/Diploma in ICT. CISA certification advantageous
• Willingness to work outside normal hours.
• 5 to 7 years of related experience.

Minimum Experience

• Proficiency with enterprise information systems, file servers, networked data storage, application software, scripting and programming languages, data communication devices, and disaster recovery utilities
• Knowledge of current systems and network technologies and standards and their practical application in the enterprise environment
• Good understanding of IT Governance frameworks and legislation