The Manager, Information Security is responsible for executing detailed risk assessments and security solution reviews for KPMG technology projects. This is accomplished through adherence to all the key Security Risk Assessment phases. These include: (a) identification of the need for a Security Risk Assessment, (b) articulation of risk observation with respect to its likelihood and impact, (c) recommendation of practical risk mitigation, (d) work with business (vendor/firm project team) to develop and agree upon risk mitigation plan, (e) presentation of Security Risk Assessment findings and mitigation plan for management (Senior Manager and/or NITSO) approval, and (f) update risk register on a weekly basis to ensure completeness & accuracy of open and or closed risks.
The role requires providing consultative advice and guidance to the business during the technology project phase. Manager, Information Security will interact frequently with the Project architects to ensure all relevant security measures have been embedded from project commencement.
This role supports the Senior Manager in effectively delivering on a 1-2 year security strategy to protect KPMG information assets.
Risk Assessment (Primary responsibility):
Security Architecture (Secondary responsibility):
- Understand the firm’s security governance, policy/control framework and risk management approach
- Review new technologies, changes to existing technologies, on-prem/cloud based products and services for risk
- Actively participate in projects as the primary security resource providing guidance and input on architecture design, implementation and operational best practices
- Propose risk mitigation strategies, review with stakeholders and maintain an agreed upon risk management plan
- Track, manage and report on residual risks through the lifecycle
- Recommend changes to and maintain the information risk management framework
Audit & Compliance (Supporting responsibility):
- Review Technical Solution Architectures
- Advise Architecture team on recommended security protocols such as cryptography, public key infrastructure (PKI)
- Understand and advise on Firewall and Network device capabilities (Threat prevention, segregation, Layer 7 rules, SD-WAN, NAC)
- Conduct vendor audits/assessments
- Respond to client questionnaires and client assessments
Review security terms and conditions of technology contracts
Please describe below typical experiences required
· 5-7 years in executing Security Risk Assessments, implementing security policy, technology, and security operations (Demonstrated hands on experience in managing security technology-based projects and in providing program management oversight and tracking against approved budgets).
· 2-3 years collaborative team experience required with technology and business staff along with leadership in a fast-paced and changing environment.
· High degree of knowledge and understanding of the security industry practices and standards, specifically familiarity with ISO 27001, NIST, CIS
· Understanding of IT Risk management methodologies and developing key risk deliverables focusing on technology topics – including process flows, work programs, and risk reports.
· Experience with GRC and industry leading productivity tools to produce report, data flow diagrams & visual representations
Working experience with Cloud computing and services – including infrastructure, platforms, and software.