Information Security & Risk Officer
You are responsible for guarding the vision, the development of strategy and the implementation of the programme within the NMBS-SNCB organisation (including its affiliates) on Information Security, Information Security Risks and IT Risk Management.
You identify, analyse and report information security risks for different NMBS-SNCB directorates. You supply the Information Security requirements for IT projects.
You identify, analyse and report on the internal IT risks, and take care of the follow-up. You maintain the risk register and take care of the management reporting.
You participate in the implementation of an ISMS. You define policies, standards, procedures and guidelines. You take care of their communication and awareness. You follow up and report on their implementation and status. T
The influence of the Information Security & Risk Officer extends across the entire enterprise. The Information Security & Risk Officer reports to the Information Security, Risk & Service Continuity Manager
Information Risk Management
- Setting up and maintaining an Information Risk Management framework, based on the ISF IRAM methodology.
- Defining, organizing and applying "information risk analysis", "treatment" and "information risk information risk monitoring processes.
- Incorporation of information risk management processes in the existing business and IT processes.
- Setting up and maintaining an information risk registry.
- The active execution, monitoring and adjusting of information risk analysis (Business Impact Assessments, Threat & Vulnerability Assessments)
- Guiding business about their availability requirements versus active disaster recovery capabilities.
IT Risk Management
- Setting up and maintaining an IT risk management framework, based on ISO 31000 and COBITv5
- Defining, organizing and applying IT risk analysis, treatment and monitoring processes.
- Incorporation of this IT risk management processes in the existing business and IT processes.
- The active execution, monitoring and adjusting IT risk analyses.
- Setting up and maintaining an IT risk register.
- Setting up and maintaining relationships and act as point of contact with (internal) audit and other risk departments.
Information Security Management
- Develop and enhance Policies, Standards, Procedures and Guidelines to set up an ISO27000 based ISMS
- Leading in the adoption, approval and maintenance of this corporate Information Security framework.
- Operational coordination and follow-up of several projects and initiatives within the Information Security department
- Formulating tactical advice on information security to IT and non IT projects
- Daily follow-up of the CISO mailbox
- Handling of information- or cybersecurity incidents and coordinate forensics activities
- Delivering content for the intranet security & privacy portal.
In all of these domains, you will work closely with IT PMO to align with existing IT processes, with IT project managers and operational managers to identify or mitigate risks, with the NMBS-SNCB Data Protection Officers to guard privacy, with the IT Compliance Officers, with the CyberSecurity department, with the IT Service Continuity Officers to align on risks and BIA’s.
- Bachelor's degree or equivalent experience
- 3 to 15 years of relevant experience in risk management and information security
- Knowledge of ISO2700x, ISO31000, COBIT5, ITIL, …
- Experience with assessing and managing IT and/or Information Risk
- Broad knowledge of IT processes and technology
- Knowledge of security architectures and controls
- Knowledge of ISF IRAM is a plus
- Experience in managing and overseeing security in third party service providers.
- Certifications: CISSP, CISM, CISA or CRISC is a plus
- Problem analysis and conflict management
- Customer focus and able to handle in an organisation sensitive way
- Record of responsibility
- Spoken and written fluency in Dutch or French; passive understanding of Dutch and French