Role Purpose:
Support the wider team with Information Security controls assurance activities and governance of Information Security Standards & Guidelines.
Key relationships & committees:
Maintain key relationships with Cyber Security stakeholders and second line of defence.
Support Business Information Security Officers across different LSEG divisions.
Key Responsibilities:
- Provide support with the execution of risk and controls assessments & other cyber assurance related activities for the Control Assurance and Standards function.
- Maintain and update the cyber control library ensuring controls and other key attributes of the library are aligned to industry best practice (NIST Cyber Risk Institute Profile).
- Conduct the assurance of cyber controls with control owners.
- Support the wider team with testing of security controls, ensuring artefacts and metrics are reviewed to demonstrate controls are designed and operated effectively (DE & OE).
- Track control deficiencies with control owners through to completion.
- Update and maintain Cyber Security Standards in line with industry best practice.
- Ensure the annual review of Cyber Security Standards is completed. Manage internal stakeholder feedback.
- Support LSEG divisions in maintaining Security certifications (ISO 27001, SOC2) from a Controls and Standards perspective.
- Assist and support other GRC teams and wider cyber security team to ensure their deliverables are met.
- Work closely with audit and regulatory teams regarding queries around controls and standards.
- Perform maturity and gap assessments of cyber controls and standards to industry recognised best practice.
- Liaise with multiple stakeholders across different business units e.g. BISO’s, other LSEG legal entities, second and third line of defence ensuring GRC related queries are addressed in a timely manner.
Technical/Job Functional Knowledge:
- Have a good understanding of NIST Cyber Risk Institute Profile, ISO27001, SOC2 and/or ISF Standard of Good Practice.
- Experience of conducting RCSA/RCA or other cyber control assurance activities. Knowledge of testing controls to determine if they are designed and operating effectively (DE & OE). Be able to challenge control owners, identify control gaps and propose suitable remediation plans.
- Experience in reviewing Information Security Standards, understanding the hierarchy of policies, standards and guidelines to determine the level of detail which is suitable for each.
- Although this is not a technical role, you must be able to demonstrate technical competence. Therefore, demonstrate experience of implementing and reviewing cyber controls for Identity & Access Management, Perimeter security, Vulnerability Management, Security Engineering, Security Architecture, Security Operations Centre and Cloud Security.
- Proficient in Microsoft Office, in particular Excel and PowerPoint. Be able to analyse data and produce reports and metrics. Experience in the use of Cyber GRC platform preferred.
- Experience in maintaining cyber security certifications (ISO27001 and SOC2).
- Good understanding of upcoming legal and regulatory requirements affecting Information Security and Technology.
- Experience in Financial Services or other organisations where mature cyber controls are implemented would be beneficial.
- Suitable qualifications such as CISSP, CISM, CRISC or MSc in Information Security.
Personal Skills and Capabilities:
- An adaptable team player.
- As required support other GRC teams or work on ad-hoc projects. This is a role where your peers will be able to support you and likewise you should be able to support them on engagements which cover different GRC domains.
- Good communication and presentation skills when engaging with clients and other internal stakeholders. This role requires you to regularly interact with 2LoD and different legal entities within LSEG.
- Be able to work within a global team which is based across multiple locations.
- A can-do attitude, being able to meet deadlines and prioritise workload.
- Objective analysis of poorly defined problems
- Partnership and influence
- Negotiation management
- Able to engage with technical stakeholders and discuss technical controls.