Information Security Officer

Who we need

Our client needs you if you are willing and able to make our organization even more resilient against information and cyber risk. With a focus on vulnerability management in alignment with DNB RSA and DORA requirements, incl. creating/improving demonstrability.

Our playing field

Our data-driven organization where digitalization, AI, information, cybersecurity and regulatory compliance are key is dealing with many internal and external factors. We need more specialists in our information and cybersecurity domain.

With an ever-increasing threat landscape and regulatory compliance like MIFID, DORA, NIS2 and GDPR our work is becoming more complex. We also are growing our DevOps teams and are encouraging citizen development while our business is becoming fully integrated with IT and where artificial intelligence is commonplace. The Resilience team supports our business embedding information security into business processes. Information security is regarded as a shared responsibility.

Your role and activities

Your role is to take on both tactical and operational activities like stated below.:

Tactics:

• Responsibility for improvement and design of the vulnerability & patch management process.
• IT process group participation, specifically regarding vulnerability & patch management processes
• Global Design reviews; new business application designs need to be reviewed for proper embedment of security
• Policy reviews; new of changed policies need to be reviewed from an information security perspective
• (New) business initiatives security assessments; all new initiatives need to be reviewed on information security aspects and where applicable advice is provided to embed security
• Internal process quality improvement activities; both with the IRM Community as well as we work on continuous improvements of our processes, procedures and tooling

Operational:

• Responsibility for execution of the vulnerability & patch management process. Activities are: chasing follow up actions with the DevOps teams, management reporting, SPOC in the team, etc.
• Application CIAP reviews; new business applications need to be rated for confidentiality, integrity, availability and privacy. Existing CIAP ratings need to be re-assessed to verify whether the current rating is still adequate.
• Risk item mitigations; determine actions, find action owners, chase actions and report back
• (Yearly) review participations; for existing business applications review changes, determine associated risk and propose remediations if needed
• Risk Self Assessments; for new non-cloud business applications information and cyber risk needs to be determined and weighed against risk appetite
• Exception request review; employees sometimes request exceptions to policy rules, these need to be weighed for risk
• RFI/RFP participation; when new business solutions are sought in the market, information security requirements must be included in requests for information and requests for proposals.

Your skills

Being a motivated self-starter who is communicative, cooperating and assertive is what will make you thrive here. You have a business enabling security attitude helped by your analytical skills in combination with common sense. Dealing with resistance while keeping an eye on risk appetite is every day business for you. Being proficient both verbally and in writing in Dutch and English is a requirement. You take ownership of the tasks at hand. Accuracy is paramount.

Your experience

Relevant experience in the information security domain is needed, at least 8 years. You have an understanding of market practice rules & regulations and their impact. You are familiar with technical and operational aspects of IT security, with expertise regarding patch/vulnerability management. You are familiar with vulnerability management tooling, such as Rapid7 InsightVM or comparable. Since we work agile you should be familiar with this way of working (e.g. SAFe).

Your education and certification

A relevant Bachelor or Master degree is required to do the work where at least one certification like CCSP, CISSP or CISM provides a (theoretical) foundation.

Note:

- This roll is not suitable for ZZP.

- Place of employment is Heerlen or Amsterdam.

- Hybrid working and in consultation with the team to the office.

- Duration of assignment is six months with option to extend.

QUALIFICATION/ LICENSURE :

• Preferred years of experience : 8+ Years
• Travel Required : 25% to 50%
• Shift timings: Not specified