Lead-Governance Risk and Compliance en Nayara Energy Limited

1. DUTIES & RESPONSIBILITIES

1

2

3

4

5

6

7

LEADERSHIP

GOVERNANCE

RISK ASSESSMENT

SUPPLY CHAIN RISK MANAGEMENT

AWARENESS & TRAINING

POLICY COMPLIANCE

MISCELLANEOUS

• Perform other duties as assigned to ensure the smooth functioning of the department. 
• Recommend programmatic and technical inputs and operate with a high degree of independence in matters relating to the investigation, impact, and analysis of security incidents, decisions regarding risk, and measures for computer and network security.
• Operate with a high degree of independence with regard to project management activities, including development of project plans and resource estimates.
• Understand, assist and co-ordinate for legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations

• Develop and share Weekly, Monthly and Yearly reports with Head – Information Security, showcasing status and posture of Information Security Program at Nayara Energy
• Develop and maintain Information Security Online Dashboard for Information Security
• Develop & implement Information Security Metrics Program for continuous monitoring and assessing the effectiveness of Information Security controls
• Co-ordinate with relevant functions to collect required data for the Information Security Metrics Program
• Assist Head Information Security to design, implement, and maintain Nayara’s cybersecurity plan and Information Security Program.
• Assist Head Information Security for other governance activities.

• Identify and document asset vulnerabilities and threats (internal and external).
• Receive cyber threat intelligence from information sharing forums and sources.
• Identify potential business impacts and likelihoods.
• Use threats, vulnerabilities, likelihoods, and impacts to determine risk.
• Identify and prioritize risk responses.
• Suggest risk mitigations & IT controls and ensuring information security best practices are designed, implemented and monitored.
• Co-ordinate for Risk Assessment of Business Function’s IT systems 
• Benchmark and compare security practices with the industry. Demonstrate knowledge, Implementation, operations and maintenance of information security standards and frameworks like NIST Cyber Security Framework, ISO/IEC 27001, COBIT, ITIL, etc. as applicable.

• Develop & Implement Information/Cyber Security Supply Chain Risk Management framework
• Assist Head Information Security to ensure organizational stakeholders identify, establish, assess, manage, & agree to cyber supply chain risk management processes.
• Use contracts with suppliers and third-party partners to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Information / Cyber Security Supply Chain Risk Management Framework.
• Routinely assess suppliers and third-party partners using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. 
• Conduct response, recovery planning and testing with suppliers and third-party providers.

• Develop content for Information Security refresher awareness training and New Joiner induction program
• Assist Head Information Security to ensure all users are informed and trained.
• Assist Head Information Security to ensure privileged users, senior executives, third-party stakeholders, physical and cybersecurity personnel understand their roles and responsibilities.

• Lead the system-wide information security compliance program, ensuring IT activities, processes, and procedures meet defined requirements, policies and regulations.
• Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
• Execute strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors based on NIST Cyber Security Framework

• Assist with forensics, analysis and fact gathering.
• Record and track Information security incidents, including but not limited to copyright violations, compromised accounts, e-mail threats, and abuse reports from various sources.

1. SKILLS & KNOWLEDGE

1. Educational Qualifications & Allied Skills:

• Bachelor's or master's degree in computer science, information systems, or equivalent work experience. An M.B.A. or M.S. in information security is preferred.
• Minimum of 9-13 years of experience in a combination of risk management, information security and IT jobs. 
• Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate security and risk-related concepts to technical and nontechnical audiences.
• Proven track record and experience in developing information security policies and procedures, as well as successfully executing programs that meet the objectives of excellence in a dynamic environment
• Knowledge and understanding of relevant legal and regulatory requirements, such as IT Act 2000, and Payment Card Industry/Data Security Standard, NIST Cyber Security Framework, etc.
• Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives
• Project management skills: financial/budget management, scheduling and resource management
• Professional security management certification, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH) or other similar credentials, is desired
• Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and ones from NIST
• Audit of financial systems
• Audit of SAP system