AirAsia

Job Description

Description:

This position will report directly to the Capital A Group CISO. The candidate will provide advice, consultation, and awareness of the Group Information Security requirements to technical teams and other employees, and ensure its implementation. This role will be responsible for ensuring internal systems and processes are compliant with information security standards (e.g, ISO 27001, PCI DSS, CIS, NIST CSF, etc); monitoring, managing, and closing information security compliance issues. Other responsibilities include identification, evaluation, and interpretation of standards, regulatory, statutory, and member security requirements, control deficiencies, and information security risks. This position will be the primary point of contact during information security incidents and responsible for managing the incident.

Duties and responsibilities

• Advise CISO on local information and cybersecurity-related regulations and requirements, and then map or recommend changes to existing policies and frameworks.
• Advise local CEO(s) and management on Information Security matters, which may, from time to time, include updates to the Boards of Directors of the various entities.
• Monitor and report on compliance with security and data protection policies, as well as the enforcement of policies.
• Work with in-country Data Protection Officer(s) of Capital A on data protection requirements.
• Maintain a record of up-to-date information security assets (e.g, equipment, documents, etc)
• Participate and facilitate audits and assessment activities to ensure compliance with information security requirements.
• Monitor and investigate local security events and incidents in collaboration with the Group Detection & Response team (Security Operations Center). 
• For locally arising security incidents, act as Incident Manager, in coordination with Group Incident Response & Management teams.
• Identify, communicate, and manage current and emerging security threats with relevant stakeholders. To manage end-to-end information security incidents with the assistance of incident management teams.
• Conduct or facilitate periodic and/or ad-hoc information security assessments and testing, as well as manage the findings.
• Analyse management and technical controls to ensure specific security and compliance requirements are met through verification of documented processes, procedures, and standards in order to validate the maintenance of secure configurations.
• Monitor and facilitate the entitlements review process to ensure compliance.
• Monitor third-party risk assessments and assist in performing internal risk assessments.
• Support development and reviews of security policies, processes, and procedures and support service-level agreements to ensure that security controls are managed and maintained.
• Collaborate on IT projects to ensure that security policy/risk issues are addressed throughout the project life cycle.
• Information Security Awareness - Participate in the development of information security awareness training in conjunction with other members of the GRC. Provide consultation, education, and awareness on information security requirements to various levels of management and Allstars.
• Liaise with the Group Information Security Architecture team to ensure local requirements and activities are aligned with the strategies and objectives of group information security design. 
• Monitor local guest accounts, payments, and fraud risks and advise Group Business Security (SuperApp accounts and payments anti-fraud, Fraud Operations Team, and Continuous Monitoring Team) on local business security requirements and threats. 

Requirements:

• Bachelor's Degree in Information Technology, or Business with IT, Computer Science, or equivalent
• Minimum 6 years experience in managing Information Security Operation/Governance, Risk Management, and Compliance, or related fields
• Relevant industry certification is an advantage (ISO 27001, CISA, CISSP, CGEIT, etc)
• Working knowledge in common IT/information security-related regulations or standards, especially ISO 27001 and PCI-DSS
• Working knowledge of local information and cybersecurity-related regulations and requirements is a huge advantage
• Ability to develop, review and maintain documentation in a timely manner
• Strong communication (spoken and written), interpersonal, and conflict resolution skills. The ability to establish and maintain rapport with stakeholders is highly desired.
• Strong analytical and critical thinking skills
• Result-oriented, high level of attention to detail, self-starter and motivator, ability to multitask and adjust to shifting priorities.