Information Security Officer

**Job Title**: Information Security & Compliance Officer (Alternate Title: Infosec Auditor & Governance Manager)

**Location**: Mumbai (or Hybrid as per business need)

**Reporting To**: Chief Information Security Officer (CISO) / Head of Technology

**Purpose of the Role**: To manage and coordinate all Information Security audits, respond to auditor/banker queries, track remediation timelines, maintain audit-ready documentation, implement security controls, and ensure compliance with ISO 27001, RBI guidelines, CICRA (Credit Information Companies Regulation Act), and other regulatory requirements.

**Key Responsibilities**:
1. **Audit & Compliance Management**
- Own end-to-end audit lifecycle across internal, external, partner, and regulatory audits (ISO 27001, RBI, CISA, Bank Infosec teams, CICs).
- Liaise with banks, auditors, NBFC partners to provide timely responses and evidence.
- Maintain an exhaustive audit tracker with timelines, evidence folders, and closure reports. - Prepare documentation and ensure regular reviews of quarterly and half-yearly items (UARs, VAPT, password policy reviews, etc.).

2. **Policy Implementation & Review**
- Coordinate implementation and periodic review of all security policies such as:

- Information Security Policy
- Access Control Policy
- Encryption & Cryptographic Policy
- Password Policy
- Cloud Security Policy
- DLP, Antivirus & Patch Management Policy
- Data Retention & Disposal Policy
- Change Management & SDLC
- HR Policy Security Clauses (Separation, Laptop return, Fidelity declaration)
- Ensure all policies are updated, approved, communicated, and enforced.

3. **Security Controls & Infrastructure Compliance**
- Maintain evidence of:

- AWS security group reviews and hardening reports
- VPN tools and access mechanisms
- IDS/IPS deployment
- Endpoint protection software, patch deployment
- DR/BCP drills and logs
- Cloud/network diagrams and access logs
- Coordinate with infra & DevOps team to track VAPT, SIEM, and firewall configurations.

4. **Vendor, Cloud & Third-Party Governance**
- Monitor and govern cloud configurations and vendor relationships for:

- AWS (Encryption, KMS, access control, VPC architecture)
- Anti-virus/DLP/MDM/USB blocking tools
- VAPT / Penetration Test vendors
- Subcontractor compliance with privacy & data sharing agreements

5. **Documentation, Evidence & Automation**
- Maintain updated SOPs, policy documents, declaration forms, signed NDAs, audit reports. - Create periodic evidence checklists and trackers (UAR logs, patch updates, policy review minutes, Form III declarations).
- Work with tech & HR to automate compliance triggers (alerts for quarterly reviews, policy expiry, form sign-offs, etc.)

**Qualifications**:

- Bachelor’s degree in IT, Computer Science, Cybersecurity or equivalent.
- Preferred: CISA, ISO 27001 Lead Implementer/Auditor, CEH, or other infosec certifications.

**Experience**:

- 3-7 years of hands-on experience in information security audits, IT compliance, or governance roles.
- Experience with ISO 27001, RBI IT frameworks, CICRA, or financial sector infosec requirements preferred.

**Key Skills**:

- Strong documentation and audit response skills
- Familiarity with AWS cloud, SIEM tools, endpoint protection, patching cycles
- Working knowledge of SDLC and DevSecOps frameworks
- Comfortable working cross-functionally with Tech, HR, Admin, Vendors, and Legal teams
- Strong command over Excel trackers, file documentation, and policy drafting

**Bonus Skills**:

- Knowledge of Indian regulatory requirements (CICRA, RBI Circulars)
- Experience in fintech or BFSI domain
- Familiarity with VAPT report analysis and remediation tracking

**Job Types**: Full-time, Permanent

Pay: ₹40,000.00 - ₹70,000.00 per month

**Benefits**:

- Cell phone reimbursement
- Health insurance
- Paid sick time
- Provident Fund

Schedule:

- Day shift
- Fixed shift

Work Location: In person