Department: Information Technology

Report To : IT Risk and Security Lead

To assess and identify information risks associated with the use of technology in Cathay Pacific with the establishment and maintenance of appropriate risk management, governance framework and processes. Responsible for analyzing Cathay Pacific’s information security environment and  recommending pragmatic security measures to reduce the risk.

Principal Accountabilities:        

The IT Risk & Security Analyst is accountable to the IT Risk & Security Lead to:

• Work with the business units, RICs and IMT stakeholders to facilitate IT risk analysis and risk management processes.
• Conduct information security risk assessment as required.
• Track risk mitigation activities related to the IMT Risk Register and maintain Risk Register in accordance with the risk governance framework.
• Understand, communicate and apply information security controls to address internal and external compliance requirements.
• Conduct security audits or information security compliance review in compliance to policy, standards and security requirement inhouse or to third-party service providers to the Company.
• Coordinate with IMT stakeholders and track the progress of resolution to negative audit findings mady by internal and external auditors.
• Track and maintain security risk remediation plans with relevant parties to achieve security requirements and mitigate identified risks to an acceptable level.
• Conduct  software application vulnerability assessments to be run by the Security Operations team.
• Conduct  vulnerability assessments to identify control weaknesses and assess the effectiveness of existing controls, and recommends remedial action.
• Report to IT Risk & Security Lead concerning residual risk, vulnerabilities, non-compliance and other security exposures, including misuse of information assets and non-compliance.
• Provide an advisory role to interpret security requirements and controls as they apply to business needs
• Assist in the development of security architecture, cloud security questionnaire, contractual security requirements, information security policies, principle, standards and procedures in new emerging technologies and new security practices.
• Perform security risk assessment, application security review and technical advisory on BU & IT project to ensure that all identified information security risks are mitigated and requisite information security controls are implemented through project lifecycle.
• Participate in Security Projects for the design, development and implementation of preventive, detective and response technical security controls .
• Work with the IT Security Operations Team to validate baseline security configurations for operating systems, applications, networking and telecommunications equipment.
• Assist in compliance monitoring reviews, self-assessments and automated assessments.
• Follow up on deficiencies identified in monitoring reviews to ensure that appropriate remediation steps have been taken.
• Provide SME support forAdvise on normal and exception-based processing of security authorisation requests.
  • Incident Management Team in the resolution of reported security incidents and assist in the forensic investigation of incidents.
  • IT responses to changing business risks and regulatory changes.
  • Assisting the IT Risk & Security Lead to design compliance monitoring reviews and self-assessments.
• Assist in IT security awareness program for the promotion security awareness to all general employees.
• Conduct research to evaluate new emerging technologies and maintain up-to-date understanding of the latest threats, vulnerabilities, mitigation, industry best practices, regulations and assist in benchmarking the risk management practices of other companies.

Knowledge, Skills & Qualifications:

• Minimum 6 years’ solid working experience in the IT industry, with at least 3 years in a similar role
• Tertiary education is desirable
• Certified / qualified in information security disciplines such as Certified Information Security Manager (CISM), Certified information systems auditor (CISA) or Certified Information Systems Security Professional (CISSP) with good standing credentials or ability to actively work towards obtaining certification.
• Certified Ethical Hacker (CEH), Certificate of Cloud Security Knowledge (CCSK) prefer or demonstrated skills and ability to obtain certification
• Experience with information security and risk management, such as ISO 27001, COBIT, ITIL
• Knowledge on security best practices, laws and airlines regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Hong Kong Personal Data (Privacy) Ordinance (PDPO) or Secure Software Development Life Cycle (SSDLC)
• Proficiency in performing risk, business impact, control and vulnerability assessments
• Experience in revamping, developing and maintaining IT security policies, processes and procedures
• Possess domain competencies in a number of IT-risk-related disciplines, including security, business continuity management, privacy and compliance
• Good problem solving and analytical skills and workshop facilitation skills
• Good data analytics skills and ability to present technical information and statistics formally
• Ability to learn and understand new concepts quickly to keep up with new emerging technology
• Good communication and interpersonal skills

Application deadline : 30 Nov 2016