Lead-Governance Risk and Compliance

• DUTIES & RESPONSIBILITIES

AREAS

ACTIVITIES

1

2

3

4

5

6

7

LEADERSHIP

GOVERNANCE

RISK ASSESSMENT

SUPPLY CHAIN RISK MANAGEMENT

AWARENESS & TRAINING

POLICY COMPLIANCE

MISCELLANEOUS

• Perform other duties as assigned to ensure the smooth functioning of the department.
• Recommend programmatic and technical inputs and operate with a high degree of independence in matters relating to the investigation, impact, and analysis of security incidents, decisions regarding risk, and measures for computer and network security.

• Operate with a high degree of independence with regard to project management activities, including development of project plans and resource estimates.
  Understand, assist and co-ordinate for legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations

• Develop and share Weekly, Monthly and Yearly reports with Head – Information Security, showcasing status and posture of Information Security Program at Nayara Energy

• Develop and maintain Information Security Online Dashboard for Information Security
• Develop & implement Information Security Metrics Program for continuous monitoring and assessing the effectiveness of Information Security controls
• Co-ordinate with relevant functions to collect required data for the Information Security Metrics Program

• Assist Head Information Security to design, implement, and maintain Nayara's cybersecurity plan and Information Security Program.
  Assist Head Information Security for other governance activities.

• Identify and document asset vulnerabilities and threats (internal and external).

• Receive cyber threat intelligence from information sharing forums and sources.
• Identify potential business impacts and likelihoods.
• Use threats, vulnerabilities, likelihoods, and impacts to determine risk.
• Identify and prioritize risk responses.
• Suggest risk mitigations & IT controls and ensuring information security best practices are designed, implemented and monitored.

• Co-ordinate for Risk Assessment of Business Function's IT systems
  Benchmark and compare security practices with the industry. Demonstrate knowledge, Implementation, operations and maintenance of information security standards and frameworks like NIST Cyber Security Framework, ISO/IEC 27001, COBIT, ITIL, etc. as applicable.

• Develop & Implement Information/Cyber Security Supply Chain Risk Management framework

• Assist Head Information Security to ensure organizational stakeholders identify, establish, assess, manage, & agree to cyber supply chain risk management processes.
• Use contracts with suppliers and third-party partners to implement appropriate measures designed to meet the objectives of an organization's cybersecurity program and Information / Cyber Security Supply Chain Risk Management Framework.

• Routinely assess suppliers and third-party partners using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
  Conduct response, recovery planning and testing with suppliers and third-party providers.

• Develop content for Information Security refresher awareness training and New Joiner induction program

• Assist Head Information Security to ensure all users are informed and trained.
  Assist Head Information Security to ensure privileged users, senior executives, third-party stakeholders, physical and cybersecurity personnel understand their roles and responsibilities.

• Lead the system-wide information security compliance program, ensuring IT activities, processes, and procedures meet defined requirements, policies and regulations.

• Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
  Execute strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors based on NIST Cyber Security Framework

• Assist with forensics, analysis and fact gathering.

• Record and track Information security incidents, including but not limited to copyright violations, compromised accounts, e-mail threats, and abuse reports from various sources.