Information Security Auditor

INFORMATION SECURITY AUDITOR

ROLE SPECIFICATION

Role Title Information Security Auditor Employee Interviewed Reports To Head – Information Security Audit & Compliance Company Muthoot Fincorp Limited Function/Department MFL One Location Bengaluru Written By Sabarinath Menon (Lead – Center of Excellence | People & Culture) Approved By (Functional Head) Date (Written On) November 2024 ROLE SUMMARY (PURPOSE) The Information Security Auditor at Muthoot Fincorp Limited (MFL), assesses and evaluates our information systems, data protection protocols, and cybersecurity measures to ensure compliance with regulatory requirements, internal policies, and industry best practices. This role involves identifying vulnerabilities, providing recommendations for security improvements, and helping to safeguard company data and systems from potential security breaches. ORGANIZATIONAL CHART KEY RESPONSIBILITIES Perform regular internal and external audits to assess compliance with security policies, standards, and controls. Review IT infrastructure, applications, networks, and data protection practices. Identify vulnerabilities and assess risks associated with information systems and recommend corrective actions to reduce risk and improve security. Prepare detailed audit reports, outlining findings, non-compliance issues, and risk assessments, and present findings to senior management and provide actionable recommendations. Develop and execute comprehensive internal audit plans to assess the effectiveness of risk management, control, and governance processes within the organization Evaluate the adequacy of cloud security controls which includes but not limited to access management, data encryption, and incident response procedures. Conduct audits based on cloud security controls, specifically AWS and OCI.

Provide recommendations, suggestions to improve security posture of the cloud hosted infrastructure. Ensure ongoing compliance with relevant industry standards (e.g., ISO 27001, DPDPA). Additionally collaborate with teams to maintain compliance with regulatory requirements (e.g., GDPR, HIPAA). Offer insights and guidance on security policies, access controls, data protection, and risk management strategies. KEY INTERACTIONS Internal Stakeholders External Stakeholders IT and Cybersecurity Teams: Work closely on implementing recommendations and ensuring secure IT operations. Compliance Officers: Collaborate to maintain adherence to internal policies and external regulations. Senior Management: Provide audit findings and suggest improvements to executive leadership. HR and Legal Departments: Engage for policy alignment and regulatory compliance. Third-Party Vendors: Conduct security assessments of vendors and ensure they comply with data protection requirements. Regulatory Authorities: Maintain compliance with relevant industry and government standards. External Auditors: Coordinate joint assessments or external audits as necessary. KEY ROLE DIMENSIONS This is a Pan India Individual Contribution role, which requires continuous communication, mostly with senior leaders, compliance and technology team KEY SKILLS & BEHAVIOURAL ATTRIBUTES Proficiency in cybersecurity frameworks, network security, vulnerability management, and information systems auditing. Strong understanding of risk assessment methodologies and the ability to identify and prioritize vulnerabilities. Broad knowledge of cloud computing platforms like AWS, Azure and GCP, and various cloud security controls. Strong understanding of cloud security frameworks and standards, such as CIS Controls, NIST Cybersecurity Framework, and ISO Precision in auditing, documentation, and compliance monitoring. Behavioral Attributes- Driven and in alignment with our Purpose "Transforming the life of the common man by improving their financial well-being" and anchored by our core value of integrity, collaboration, and excellence. EDUCATION / EXPERIENCE Minimum Qualification: Bachelor's degree in information technology, Engineering, Computer Science, Cybersecurity, or a related field. However, a Master's degree in Cybersecurity, Information Assurance, or a similar discipline is desirable for this role. Nature of Experience: Minimum of 6 years of experience in internal auditing, with a strong focus on IT audit, security and third-party audits. Additional Certifications - Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) is mandatory Certified Information Security Manager (CISM), ISO 27001 Lead Auditor, Certified Ethical Hacker (CEH) are also preferred.