Information Security Governance, Risk & Compliance Analyst
Location
Kilbirnie Street, Glasgow
Hours
Full time, Monday–Friday, 8.30am to 5.00pm.
About the role
This role will help ensure that Arnold Clark information systems are appropriately secured and do not incur excessive risk to business information or services. Where required, risks will be identified and escalated through to ensure remediation.
The successful candidate will work very closely with internal technical and non-technical teams to ensure risks are identified and that the business aligns to the Arnold Clark Information Security policies and standards.
A large portion of the role will also include dealing with third parties to perform the necessary assurance and due diligence tasks.
Key responsibilities
- Engaging with internal projects to ensure that Information Security is represented and that Information Security requirements are met.
- Liaising with third parties to provide the necessary assurance required as part of a business tender or information security audit.
- Conducting the required due diligence steps against third parties which handle Arnold Clark information.
- Compliance reporting on external frameworks such as DPA 2018, GDPR and PCIDSS and any associated risks and required steps.
- Execution of the Arnold Clark audit process for third parties to ensure that risks are identified and managed.
- Working closely with the Information Security Operations team to identify, track and report on risks to the Arnold Clark organisation.
- Managing the Arnold Clark Information Security risk register including the opening and closing of risks and reporting of risk
- Advising on Information Security risks and be able to clearly articulate with authority the required actions of the responsible parties
- Escalating any identified risks, issues, threats and vulnerabilities to the Arnold Clark Information Security Officer.
Internal stakeholders
- Internal technical teams
- Internal business non-technical teams
External stakeholders
- Third parties – Assurance
- Third parties – Due Diligence
- Information Security consultancy vendors
Required experience and skills
- Extensive experience working in Information Security is not required for this role. However, this position would be suited to someone who has worked in a similar role with exposure to Information Security practices and has the ability to learn quickly.
- Basic knowledge of or exposure to Information Security frameworks, including PCIDSS, Data Protection, GDPR, ISO27k Series, etc. are desirable.
- Experience of drafting/maintaining policies, processes and standards.
- Exposure to risk management and process to ensure risks are documented, reported and escalated appropriately.
- Good understanding of Information Technology stacks including networks, server, client, mobile and security technologies and is able to understand and discuss technical concepts.
- Third-party assurance and due diligence experience is highly desirable.
- Project engagement experience desirable to consult with projects for the Information Security team.
- Strong situational analysis and decision-making abilities.
- Ability to prioritise your own workload according to business and operational demands.
- Ability to interact with subject matter experts and liaise with users at all levels and build relationships.
- Qualifications within IT Security, such as CompTIA Sec+,CISSP, CRISC, CISA, CISM highly desirable but not essential.
- Willingness to obtain security qualifications and experience on the job training.
- Minimum 3 years’ experience of information technology role.
Key measures
- Ensure Information Security is represented in projects and requirements are met.
- Due diligence activities are carried out against third parties where required
- Assurance is provided to third parties where required
- Reporting of risk into risk register and to Information Security Officer
- Established relationships are in place with internal stakeholders.
Employment within the Arnold Clark Group is offered subject to satisfactory reference and disclosure checks.