Information Security GRC Lead
Job Description
Implements security controls, risk assessment framework, and program that align to regulations requirements, ensuring documented and sustainable compliance that aligns with AXA Group Security Standards. Manage the cyber and information security risk management lifecycle, including gaining assurance of all existing and relevant cyber and information security policies and standards. Evaluates risks and develops security standards, procedures, and controls to manage risks. Improves security positioning through process improvement, policy, automation, and the continuous enhancement of capabilities. Regularly produce full gap analysis reports on areas of improvement and risk, recommending thorough mitigation plans including justification for options considered. Implements processes (governance, risk and compliance) to automate and continuously monitor information security controls, exceptions, risks, testing. Develops reporting metrics, dashboards, and evidence artifacts. Defines and documents business process responsibilities and ownership of the controls in GRC. Schedules regular assessments and testing of effectiveness and efficiency of controls and creates GRC reports. experience in Implementing ISMS, performing internal reviews, drafting and enforcing policies in accordance with AXA Group Security, ISO 27001, and PCI-DSS. Work with the Third Party Risk Management (TPRM) lead to share good practice and ensure alignment for all cyber risks facing AXA both internal and external. Perform the Third-Party Risk Assessments (when applicable) Contribute to and check the contractual Cybersecurity clauses. Liaise with the Legal department whenever it is needed. Report to the project manager or to the management the risks of clause non-execution. Work with IT, and business teams in planning, process mapping, documentation and testing of cyber-focused elements of risk. Drive AXA's cyber and information security culture, acting in an ambassadorial role across the business, able to communicate to all levels of staff. Demonstrate an aptitude for reporting & communicating complex information security risk concepts to technical and non-technical audiences. Independently be able to produce comprehensive write ups of current risks and threats as they develop, producing expedient updates as situations change and span different threat vectors. Proactively monitor and inform senior stakeholders on emerging cyber risks and threats, providing a view through a business lens on potential impacts. Own the creation and presentation of cyber and information security performance against governance frameworks and risk appetite. Develop and maintain AXA's Security Risk Process including - assessing potential business impact that could result from a security breach, and the resultant value of the security of information; Identifying security weaknesses and vulnerabilities; Modelling security threat scenarios; Assessing the likelihood of such threat scenarios; Assessing the overall risk level and identifying and recommending appropriate controls to manage the risk. Updates security controls and provides support to all stakeholders on security controls covering internal assessments, regulations, Secondary assurance, Minimum Technical Security Baseline Performs and investigates internal and external information security risk and exceptions assessments. Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks. Documents and reports control failures and gaps to stakeholders. Provides remediation guidance and prepares management reports to track remediation activities. Assists other staff in the management and oversight of security program functions. Trains, guides, and acts as a resource on security assessment functions to other departments. Remains current on best practices and technological advancements and acts as Information Security for security assessment and regulatory compliance.
Formulates detailed reports of internal reviews and periodic assessments Conduct organization wide information security awareness training Coordinate with Infrastructure and business systems Teams to implement identified controls, policies, and procedures.
Skills
Experience, Knowledge and Skills: Education & certification
Education
· Bachelor degree in Computer Science, Engineering, or related field.
· An MSc Information Security would be desirable but is not essential
Certification
· Certified Information Systems Security Professional (CISSP) preferred
· ISO 27001 Lead Implementer or ISO 27001 Lead Auditor certification strongly preferred
· CRISC preferred
· CISA preferred
Skills / Abilities
Experience and strong knowledge in Cybersecurity Knowledge of risk assessment models Knowledge of auditing and reporting procedures Ability to implement risk monitoring and testing procedures Ability to build relationships with key stakeholders Ability to understand broader business issues Strong communication and presentation skills
Job Location Cairo, Egypt Job Role Information Technology
