Information Security Risk & Assurance Specialist

Overview

We are committed to diversity and inclusion and believe everyone has value. We value everybody for who they are and what they bring to the table, supporting one another as we continue to deliver for our customers.

Responsibilities

• Create and maintain an information security management system (ISMS) capable of demonstrating compliance against internal security requirements and external commitments, including certification and regulatory requirements.
• Provide subject matter expertise in the application of established standards such as NIST, PCI-DSS, GDPR, COBIT, ISO 27001 and Cyber Essentials to current and future programs of work.
• Prepare for and support internal and external compliance audit activities.
• Manage remediation of audit non-conformities (internal and external).
• Ensure security policy, on a risk-based approach, is produced, signed off by relevant stakeholders, published and communicated; manage the policy in-life and update through yearly or ad-hoc reviews.
• Produce relevant security standards documentation in consultation with technical teams.
• Lead on providing information to Three UK customers (B2B) about Three UK's security practices.
• Provide support for oversight of the technology and security risk management frameworks, methodologies, processes, assurance, remediation and reporting across the company, challenging where appropriate.
• Assist with design, build and implementation of a Technology and Security Risk framework in collaboration with technology, security and enterprise risk and compliance teams.
• Support technology and security teams in undertaking risk assessments and identifying emerging risks through continuous assessment of inherent and residual risk exposure; provide robust challenge to operational teams as they identify and manage technology risks, including information security and cyber risk, through risk and control assessments, key indicators, issue and incident management, and control assurance.
• Manage and continually improve Three's Security Exception process.
• Work with enterprise risk and compliance functions to escalate enterprise-level technology and security risks.
• Operate the GRC tool for risk management to record, track and monitor risks and controls.
• Support ongoing education and awareness activities around security policies, risk management frameworks and governance across the company.

Qualifications

• One of the risk or security certifications (CISSP, CRISC, CISM).
• Good knowledge and practical experience of NIST, PCI-DSS, GDPR, COBIT, ISO 27001 or Cyber Essentials.
• Previous experience in a similar role with the ability to work in a dynamic and changing environment.
• Excellent team player who can influence, help and support others.

Additional notes

• Working with stakeholders and partners to ensure that Three delivers and remains compliant against key security and privacy standards and certifications.
• Maintains up-to-date knowledge of the legal and regulatory requirements that can impact Technology and Operations and its Partners.
• Uses comprehensive knowledge of legal and regulatory obligations and industry best practices and frameworks (e.g., NIST, COBIT, ISO27001, PAS 555) to ensure technology standards compliance is achieved.
• Schedules risk and compliance audits, reviews the outcomes of the audit process, and directs compliance issues to appropriate resources for investigation and resolution.