Airlines IT

Description:

Department : Information Technology

Report To : IT Risk and Security Lead



To assess and identify information risks associated with the use of technology in Cathay Pacific with the establishment and maintenance of appropriate risk management, governance framework and processes. Responsible for analysing Cathay Pacific’s information security environment and recommending pragmatic security measures to reduce the risk.



Principal Accountabilities:



The IT Risk & Security Analyst is accountable to the IT Risk & Security Lead to:


Work with the business units, RICs and IMT stakeholders to facilitate IT risk analysis and risk management processes.
Conduct information security risk assessment as required.
Track risk mitigation activities related to the IMT Risk Register and maintain Risk Register in accordance with the risk governance framework.
Understand, communicate and apply information security controls to address internal and external compliance requirements.
Conduct security audits or information security compliance review in compliance to policy, standards and security requirement inhouse or to third-party service providers to the Company.
Coordinate with IMT stakeholders and track the progress of resolution to negative audit findings mady by internal and external auditors.
Track and maintain security risk remediation plans with relevant parties to achieve security requirements and mitigate identified risks to an acceptable level.
Conduct software application vulnerability assessments to be run by the Security Operations team.
Conduct vulnerability assessments to identify control weaknesses and assess the effectiveness of existing controls, and recommends remedial action.
Report to IT Risk & Security Lead concerning residual risk, vulnerabilities, non-compliance and other security exposures, including misuse of information assets and non-compliance.
Provide an advisory role to interpret security requirements and controls as they apply to business needs
Assist in the development of security architecture, cloud security questionnaire, contractual security requirements, information security policies, principle, standards and procedures in new emerging technologies and new security practices.
Perform security risk assessment, application security review and technical advisory on BU & IT project to ensure that all identified information security risks are mitigated and requisite information security controls are implemented through project lifecycle.
Participate in Security Projects for the design, development and implementation of preventive, detective and response technical security controls .
Work with the IT Security Operations Team to validate baseline security configurations for operating systems, applications, networking and telecommunications equipment.
Assist in compliance monitoring reviews, self-assessments and automated assessments.
Follow up on deficiencies identified in monitoring reviews to ensure that appropriate remediation steps have been taken.
Provide SME support for Incident Management Team in the resolution of reported security incidents and assist in the forensic investigation of incidents.
IT responses to changing business risks and regulatory changes.
Assisting the IT Risk & Security Lead to design compliance monitoring reviews and self-assessments.

Advise on normal and exception-based processing of security authorisation requests.
Assist in IT security awareness program for the promotion security awareness to all general employees.
Conduct research to evaluate new emerging technologies and maintain up-to-date understanding of the latest threats, vulnerabilities, mitigation, industry best practices, regulations and assist in benchmarking the risk management practices of other companies.

Requirements:

Knowledge, Skills & Qualifications (profile):


Minimum 6 years’ solid working experience in the IT industry, with at least 3 years in a similar role
Tertiary education is desirable
Certified / qualified in information security disciplines such as Certified Information Security Manager (CISM), Certified information systems auditor (CISA) or Certified Information Systems Security Professional (CISSP) with good standing credentials or ability to actively work towards obtaining certification.
Certified Ethical Hacker (CEH), Certificate of Cloud Security Knowledge (CCSK) prefer or demonstrated skills and ability to obtain certification
Experience with information security and risk management, such as ISO 27001, COBIT, ITIL
Knowledge on security best practices, laws and airlines regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Hong Kong Personal Data (Privacy) Ordinance (PDPO) or Secure Software Development Life Cycle (SSDLC)
Proficiency in performing risk, business impact, control and vulnerability assessments
Experience in revamping, developing and maintaining IT security policies, processes and procedures
Possess domain competencies in a number of IT-risk-related disciplines, including security, business continuity management, privacy and compliance
Good problem solving and analytical skills and workshop facilitation skills
Good data analytics skills and ability to present technical information and statistics formally
Ability to learn and understand new concepts quickly to keep up with new emerging technology
Good communication and interpersonal skills





Cathay Pacific is an Equal Opportunities Employer. Personal data provided by job applicants will be used strictly in accordance with our personal data policy and for recruitment purposes only. Candidates not notified within eight weeks may consider their application unsuccessful. All related information will be kept in our file for up to 24 months. A copy of our Personal Information Collection Statement will be provided upon request by contacting our Data Protection Officer.

Apply