We’re recruiting for an Information Security Senior Governance, Risk and Compliance Analyst to join our Kilbirnie Street site in Glasgow.
Full time, Monday–Friday, 8.30am to 5pm
About the role
This role will ensure the key aspects of the Arnold Clark Information Security Strategy are implemented across the Group, integrating Information Security best practices within all working practices and enabling Information Security to become a business differentiator across all digital channels.
The role is responsible for ensuring all technology implementations are secure across all Information Security areas inclusive of third-party due diligence, data security and project consultancy.
- Deliver technical security consultancy on significant security projects for our programmes delivering key aspects of security such as identity and access management (IDAM), data loss prevention (DLP), or regulatory requirements such as Cyber Essentials +, PCIDSS or GDPR.
- Presenting, developing, and maintaining Arnold Clark's Digital Risk Management Framework
- Oversight of cyber security risks and issues, including independent review, assurance review and timely reporting to key stakeholders in relation to the effectiveness of the control environment.
- Contributing to the development of appropriate systems and tools to measure and report on key Information Security risk management metrics and support reporting to subsidiary boards, and leadership teams where appropriate.
- Liaising with third parties to provide the necessary assurance required as part of a business tender or information security audit.
- Compliance reporting on external frameworks such as Cyber Essentials +, GDPR and PCIDSS and any associated risks and required steps.
- Execution of the Arnold Clark audit process for third parties to ensure that risks are identified and managed.
- Working closely with the Information Security Operations team to identify, track and report on risks to the Arnold Clark organisation.
- Interpret cybersecurity relevant regulatory and other requirements or best practices and translate these to business aligned cybersecurity requirements.
- Lead business stakeholders with design and implementation of cyber security operational best practice and process and control improvements.
- Develop, input, and monitor key Cyber Security Strategy and architecture initiatives.
- Examine employee compliance with security controls and deficiencies.
- Providing recommendations on security best practises for cross portfolio projects
- Carry out cyber security review (technical) of new products/solutions.
- Internal technical teams
- Internal business non-technical teams
- Third parties – Assurance
- Third parties – Due diligence
- Information Security consultancy vendors
Required experience and skills
- Extensive experience working in information security is not required for this role. However, this position would be suited to someone who has worked in a similar role with exposure to information security practices and has the ability to learn quickly.
- Knowledge of or exposure to information security frameworks, including PCIDSS, Data Protection, GDPR, ISO27k Series, etc. is desirable.
- Experience of drafting/maintaining policies, processes and standards.
- Experience of enterprise risk management frameworks and methodologies.
- Good understanding of information technology stacks including networks, server, client, mobile and security technologies and the ability to understand and discuss technical concepts.
- Third-party assurance and due diligence experience is highly desirable.
- Strong situational analysis and decision-making abilities.
- Ability to prioritise your own workload according to business and operational demands.
- Ability to interact with subject matter experts and liaise with users at all levels and build relationships.
- Qualifications within IT Security, such as CompTIA Sec+, CRISC, CISA, CISM highly desirable but not essential.
- Willingness to obtain security qualifications and experience on the job training.
- Minimum of five years’ experience in an information technology role.
- Provide security consultancy to projects ensuring
- Due diligence activities are carried out against third parties where required.
- Assurance is provided to third parties where required.
- Assiting Arnold Clark Digital across the risk lifecycle as part of information security’s role as custodian of the Arnold Clark Digital risk register.
- Established relationships are in place with internal stakeholders.
In return for your skills, you’ll receive one of the best employee benefits packages in the automotive industry, including free private healthcare, pension, life assurance, generous staff discounts, and all the training you need to help you to succeed in your role.
Employment within the Arnold Clark Group is offered subject to satisfactory reference and disclosure check.
Closing Date: 20 April 2021