The Manager – Data Protection is responsible for establishing and maintaining a corporate wide data protection management program to ensure that information assets are adequately protected. This position is responsible for identifying, evaluating and reporting on data protection / information security risks in a manner that meets operational, compliance and regulatory requirements, and aligns with and supports the operations and risk appetite of GEMS Education
- Support the development of an effective information security / data protection strategy; monitor its implementation across GEMS Education.
- Lead the development of data protection policies, procedures and processes. Establish security guidelines and standards as per industry best practices.
- Review progress of data protection initiatives against KPIs a on a regular basis.
- Collaborate with IT teams to review architectural designs, including application security set ups and use of network, and evaluate compliance to applicable security standards in alignment with business objectives.
- Support the implementation of a comprehensive enterprise data protection and IT risk management program to ensure that the integrity, confidentiality and availability of information is owned, controlled or processed by the organization.
- Develop, maintain and publish up-to-date data protection policies, standards and guidelines. Oversee the approval, training, and dissemination of security policies and practices.
- Create and manage data protection awareness training programs for all employees, contractors and approved system users.
- Work directly with the business units to facilitate IT risk assessment and risk management processes, and work with stakeholders throughout the enterprise on identifying acceptable levels of residual risk.
- Provide regular reporting on the current status of the data protection program.
- Create a framework for roles and responsibilities with regard to information ownership, classification, accountability and protection.
- Develop and enhance an information security management framework based on industry best practices, such as: International Organization for Standardization (ISO) 2700X, ITIL, COBIT/Risk IT and National Institute of Standards and Technology (NIST).
- Provide strategic risk guidance for IT projects, including the evaluation and recommendation of technical controls ; perform related duties as required including for providing support to Information Security Initiatives.
- Liaise with development and operations teams to ensure alignment between the security, infrastructure and application architectures.
- Coordinate data protection projects with resources from the IT organization and business unit teams.
- Create and manage a unified and flexible control framework to integrate and normalize the wide variety and ever-changing requirements resulting from applicable laws, standards and regulations. Ensure that security programs are in compliance with such laws, regulations and policies to minimize or eliminate risk and audit findings.
- Define and facilitate the data protection risk assessment process, including the reporting and oversight of treatment efforts to address negative findings.
- Manage IT security incidents and events to protect corporate IT assets, including intellectual property, regulated data and the company's reputation.
- Monitor the external threat environment for emerging threats, and advise relevant stakeholders on the appropriate courses of action.
- Coordinate the use of external resources involved in the data protection program, including, but not limited to, interviewing, negotiating contracts and fees, and managing external resources.
- Facilitate a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitate appropriate resource allocation, and increase the maturity of information security.
- Ensure the consistent application of policies and standards across all technology projects, systems and services, including, but not limited to, privacy, risk management, compliance and business continuity management.
Qualifications, Experience and Skills
- Minimum of a Bachelor's degree in Science (BS), Degree in Information Security, Computer Science, Engineering, or a related technical degree. A Master's degree is preferable.
- Minimum of one internationally recognized professional certification e.g. (CISSP, CISA, CISM, ISO 27001 (ISMS) Implementer / Lead Auditor, CRISC.
- Minimum of 10 years of work experience in Information Technology.
- Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT and NIST.
- Strong understanding of risk management framework and ability to prioritize initiatives.