Information Security Risk and Assurance Specialist – Assurance
Job Location
Glasgow
Job Type
Business Services
Country/Territory
Scotland
Region
UK & Europe
Description
The Role
The mission of the firm's Information Security and Risk team is to
establish a risk-managed environment that enables the firm to
adequately and reasonably protect the confidentiality, integrity and
availability of information used by the business and on behalf of
clients. The successful candidate will be part of the team that
focuses on the management of risk and assurance for Information
Security and IT, and will work with stakeholders across the global
business to develop and maintain the risk management and control
frameworks, identify and measure the levels of associated Information
Security and IT risks, help to identify and oversee the implementation
of appropriate remediation strategies where necessary including the
implementation of appropriate controls, work alongside the technical
teams and other areas of the business to help bring the levels of risk
into appetite; periodically monitor the risk levels and the maturity
of related controls, conduct reviews and control assurance exercises,
develop and maintain the associated policies, processes, standards to
ensure that the people, processes and technology within the enterprise
are appropriately risk-managed, adding value to the business
consistent with assigned information security scope and risk appetite.
Key Responsibilities
Ensure an in-depth knowledge and understanding of the Information
Security and IT risk management requirements and practices.
Responsible for the risk management framework for Information
Security and IT, in accordance with Firm policy and in line with the
enterprise risk management framework. Periodically review and
maintain the relevant Information Security and IT Risk management
policies as appropriate.
Work closely and build relationships with stakeholders in
Information Security, IT, the global Risk department and across the
wider business, to encourage and develop the processes required for
the determination of appropriate risk appetite, identification and
assessment of risk, the implementation of appropriate mitigation
strategies and ongoing management, in accordance with the risk
management policy.
Manage the Information Security and IT risk register, ensuring
that all identified risks are clearly recorded together with
assigned owners, measured inherent and residual risk levels, and
details of compensating controls and/or mitigation strategies with
their respective owners. Ensure that the recording and management of
risk remains consistent and in accordance with the policy and
underlying agreed standards/processes.
Ensure that all risks are periodically reviewed and re-assessed to
determine whether the inherent/residual levels are still
appropriate. For risks still not in appetite, determine the most
likely scenarios that could lead to crystallization of the risk, and
whether current mitigation strategies and/or controls would be optimal/effective.
Perform risk assessment activities as are appropriate for larger
projects or for where there may be significant transformation or
change within the business affecting Information Security or IT.
Identify and assess on an ongoing basis, risks that could materially
impact the ability for IT to deliver its commitments to the
business, together with periodic reporting to the Senior Leadership
Team, and the tracking of any mitigation actions required.
Provide education where required to develop the skills within
Information Security, IT and other business areas to identify,
assess, measure and record risks.
Stay abreast of developments in the risk management area and cyber
and information security trends as they relate to the legal
industry, information management, technological standards, emerging
and current threats employing appropriate horizon scanning.
Build and maintain relationship with the global Risk department to
share best practice and to ensure that the risk management and
control frameworks for Information Security and IT fully aligns with
the enterprise risk management framework. Responsible for a risk
reporting framework that informs effective risk-based decision
making within IT and tracks progress of risk mitigation while
recognizing the different audiences within Clyde & Co g. risk or
service-owners, management within Information Security and IT, the
Audit and Risk Committee and where appropriate to other levels of
management in the firm.
Maintain a reporting environment capable of historical reporting,
trends, key triggers, performance and risk indicators, management
information etc.
Essential Skills & Experience
Proven experience of working in an Information Security and IT
Risk Management role within a fast-paced environment. Experience
within the legal industry is ideal, but not essential.
Operational knowledge of risk management and international
information security standards, practices, risk management and
control frameworks g. ISO31000, IRAM2, NIST 800-53 and cybersecurity
framework. ISO27001/2, COBIT, ISF SOGP, CPS-234 etc.
Strong organisational skills and the ability to handle multiple
conflicting priorities.
Able to work to very tight deadlines under pressure and to
assimilate information quickly.
Strong interpersonal skills including confidence, positivity,
diplomacy and the ability to gain credibility quickly.
Excellent verbal and written communication skills, with the
ability to explain risk concepts and technical terms in a way that
non-technical people would understand.
Demonstrates attention to detail with a high level of accuracy.
Positive and tenacious with the ability to pro-actively drive
initiatives forward and motivate resources within and outside their
team to perform. within and outside their team to perform.
Drives innovation and challenges the status quo to achieve a
continuously improved risk management and risk reporting insights
for Clyde & Co.
Business Services Competencies
Clyde & Co is committed to providing extensive, personal and
professional development opportunities for our people enabling them to
be highly effective in their current role as well as assisting them to
fulfil their career aspirations.
The competencies are used to inform all aspects of Business Services
career development. They vary across levels and different business
areas and fall under the following areas:
Technical Excellence
People and Team
Client/Stakeholder Relationships
Service Delivery and Commercial Awareness
Personal Effectiveness
This is the job description as constituted at present; however the
Firm reserves the right to reasonably amend it in accordance with the
changing needs of the business.
