Information Security Officer
The Information Security Officer at Aquila Heywood is responsible for the security of our company and its security strategy including our software products, our services, internal operations, and facilities. Through staff education, audit, continuous improvement and communication across all levels the ISO will ensure we maintain the ISO27001 certification, lead our GDPR efforts to ensure compliance, and implement and manage our SOC2 initiative guiding process improvements, reporting on progress and ensuring compliance with data regulations of our datacentres. This role covers Data Protection Officer requirements under GDPR. This is a senior position within the company reporting to our CTO. We are seeking an outstanding individual who is passionate about delivering high quality, robustly secure financial software, services and an employee environment that operate and maintain a lead in data regulation compliance The ISO takes a key role in the design and delivery of Aquila Heywood's advanced cyber security capabilities that represent a benchmark in the pension and life industry. RESPONSIBILITIES o Lead in the development and drive adoption and compliance to Aquila Heywood's Information Security policies, procedures and standards. o Conducting continuous assessment of current IT security practices and systems and identifying areas for improvement. o Accountable for the company's ISO27001 compliance in certification and any other certifications that we may be appropriate. Ensure all required documentation and processes are in place for the audit. Manage our relationship with the Quality Auditor and facilitate the certification process. o As part of the significant change in data security in general, we plan to implement SOC2 reporting and ensure our GDPR obligations are fully in place and continually maintained - this role will be accountable for achieving this. o Conduct regular penetration tests and vulnerability scans of Aquila Heywood systems and manage external penetration tests from 3rd parties that we engage on our systems. o Work with our customers to facilitate penetration tests and vulnerability scans of customer systems being carried out by 3rd parties. o Manage the remediation of any defects that are found in conjunction with the Technology Division o The ISO signs off the InfoSec quality gate for all production applications. This includes assessing our software against the key security criteria required by our Acceptance-into-Service core process. o Manage and conduct internal security training and awareness for staff. o Provide a monthly report to the CTO that documents the results of the scans and information security health status. This includes an Information Security Dashboard that reports cyber-attacks and defences during the month, lists our InfoSec risk register, and tracks issues and actions from month to month. TEAM STRUCTURE o The Information Security Officer reports directly to the CTO. o The ISO has an active role within our Support and Professional Services teams, joining in team meetings and advising our project delivery teams on security practices where appropriate. o The ISO works closely with our Technology Division to help ensure our products are built using a best-practice security framework, and also that our secure software development lifecycle is robust and fit-for-purpose. o The ISO works with the People team to ensure personnel are adequately vetted for required security clearance, that our induction training for all employees is delivered, and that ongoing training in information security best-practice is effective. o The ISO works with the management team to ensure that data security is understood and is always considered when key decisions are being made. WORK EXPERIENCE & SKILLS o Understanding and practical experience of applying data regulations in a software environment. o A good working knowledge of ISO27001, SOC2 principles and has begun to understand and consider what GDPR means for companies. o Ability to adapt to a fast-moving IT landscape and keep pace with the latest thinking and new security technologies. o Strong customer focus - able to meet the demands of internal and external customers. o Technical skills that allow you to question what is happening in a technical environment. o Information Risk Management practices. o Good listener, facilitator and meeting manager. o Follows process discipline, and convinces others to do the same. o Able to deliver training that is engaging and interesting. o Holds people accountable for meeting their commitments. o Good communicator who influences our people - from developers, non-developers, the management team and our shareholders.