Information Security Officer

Gowling WLG
15 Sep 2017
13 Oct 2017
Contract Type
About Gowling WLG Gowling WLG is a new international law firm created by Gowlings, a leading Canadian law firm, and Wragge Lawrence Graham & Co (WLG), a leading UK-based international law firm. We built Gowling WLG to provide clients with legal services at home and around the world, and to help you succeed no matter how challenging the circumstances. Gowling WLG clients have access to in-depth expertise in key global sectors along with a top-tier suite of legal services. With more than 1,400 legal professionals across offices in 18 cities worldwide and specialised expertise in countries around the globe, we're positioned to help clients rise to the challenges they face - both today and tomorrow. Main Purpose of the Job To manage, maintain and monitor the Information Security Management System (ISMS) within the firm's Integrated Management System (IMS) To act as an interface between the strategic and process-based activities and the work of the technology-focused experts, analysts, and administrators in the IT organisation Translating the IT-risk requirements and constraints of the business into technical control requirements and specifications, as well as develop metrics for ongoing performance measurement and reporting Coordinating the IT organisation's technical activities to implement and manage security infrastructure, and to provide regular status and service-level reports to management To work with the IT organisation and business management to align priorities and plans with key business objectives Acting as an empowered representative of the IT Director during IT planning initiatives to ensure that security measures are incorporated into strategic IT plans and that service expectations are clearly defined Working with business and IT stakeholders to balance real-world risks with business drivers such as speed, agility, flexibility and performance To embed a culture of information security within the firm, with a focus on security by design Direct reports: None Indirect reports: All staff involved in work that may affect the firm's information security Main Duties and Responsibilities Leading in the development of information security policies, procedures and standards in line with business needs, assist the Service Delivery teams in enforcing the agreed policies and audit the adherence to those policies in line with agreed KPIs and SLAs Managing and maintaining security communication and awareness campaigns for staff - particularly core technical staff, but also including all levels up to and including senior leaders - to enhance the security culture and develop a general understanding of their responsibilities supporting the hiring of new staff with information security skills training new staff on security awareness conducting information security related performance reviews, providing leadership and coaching, plus technical and personal development programs for core technical staff Managing security projects and providing expert guidance on security matters for other IT projects Monitoring and ensuring compliance with security standards such as ISO 27001 Carrying out information security related audits and 3rd party supplier audits, analysing results from third party security questionnaires and audits, identifying the risks within those results and publishing within the ISMS Assisting resource owners and IT staff in understanding and responding to security audit failures reported by auditors Managing the identification and rectification of security incidents, reporting progress and providing expertise in response to emerging threats Advising management on how to meet any information security requirements, and on any changes to information security regulations/compliance Managing and driving the business to respond accurately and appropriately to due diligence questionnaires and external audits Acting as an initial escalation point within the BIS department to respond to Information Security questionnaires Developing a knowledge base and FAQ section for Information Security Carrying out information risk assessments in line with ISO 27001 and maintaining the results within the ISMS Complying with the Integrated Management System (IMS) to ensure alignment and adherence to common document format, communications, testing and review Developing, maintaining and publishing a security information pack to be distributed to selected clients on request or as part of the client on-boarding process Liaising with clients/potential clients in relation to their information security requirements Improving the process (including automation) of client security audits Helping to drive a security culture within the BIS team through regular educational sessions, being a champion for how good information security is a business enabler rather than a blocker Supporting the BIS Leadership team to embed Information Security into the overall Enterprise Architecture working with the enterprise architecture team to ensure that there is a convergence of business, technical and security requirements liaising with IT management to align existing technical installed base and skills with future architectural requirements Being involved in the budget setting process and building business cases for investment in tools that may improve the security posture of the firm Monitoring suppliers for performance to targets and deliverables to ensure that any projects remain on budget Working as a liaison with vendors and the legal and purchasing departments to establish mutually acceptable contracts and service-level agreements To support Business Solutions & Change and Service Delivery by consulting with and educating staff to ensure that any proposed software developments or changes do not compromise the security of the firm's data, and monitoring to confirm staff are: understanding security requirements and issues, and identifying encryption and controls needed to protect information adhering to privacy by design principles, enabling use of test data, pseudonymisation and encryption at rest, ability to delete data building in full auditing and error logging to any applications or customisations developing the ability to output logs of security events to security monitoring software prioritising security above functionality and performance, whilst being pragmatic and taking a risk based approach ensuring that security is factored into the evaluation, selection, installation and configuration of hardware, applications and software To perform a professional solution delivery by: Maintaining a knowledgebase comprising a technical reference library, security advisories and alerts, information on security trends and practices, and laws and regulations Maintaining team knowledge by participating in educational opportunities; attending professional conferences and events; maintaining personal networks; participating in professional organisations such as ILTA and Litig Participating in knowledge gaining and sharing amongst Enterprise Architects, Digital Innovators, Solution Architects, SMEs, Developers and Solutions Architects as well as Service Delivery staff (such as the Service Change and Management Leads and the Subject Matter Analysts) by utilising corporate membership of industry bodies and knowledge providers (e.g. Gartner) Participating in, contributing to and networking within cross-BIS 'Communities of Interest' relating to the core technology platform areas Helping to educate peers including with current technology trends To consider the development of a visual management board that summarises the status information security management throughout the firm To support the Head of Architecture and Innovation and BIS by: Performing any other reasonable tasks as requested, including requests from other senior BIS leaders Performing the Service Delivery Out of Hours Support (OHS) 'Duty Manager' role on a rota basis Supporting Service Delivery with global incident management, business continuity and resolution assisting and guiding the planning team in the selection of recovery strategies and the development, testing and maintenance of disaster recovery plans Responding to service incidents/BAU (RUN tasks) as required by the Service Delivery Business Partners - this should always be the highest priority for all BIS staff Key skills and experience Ideally a graduate qualified in computer science/information systems/related fields with a specialism in information security and/or Seven or more years of IT and Business User experience, with sensitivity and commitment to business problem solving - ideally experience of working with a range of technologies (including Microsoft) within business/operations areas of the legal profession or other professional services a minimum of five years of demonstrated competency in information security management and control at least two years expertise in leading project teams and developing/managing information security projects - including resource balancing across multiple IT teams, task prioritizing and project reporting supporting the IMS (Integrated Management System) policies and strategies - balancing operational tasks with longer-term strategic security efforts vendor relationship management - ensuring that service levels and vendor obligations are met identifying information security needs and taking initiative to fulfil the related requirement strong working knowledge of ISO 27001 and the ability to carry out information security audits understanding of compliance..... click apply for full job details