Information Security Senior Professional in Giz

**Descrição:**:About the project

To enable the worldwide protection of all critical information processed by the GIZ, the establishment of an Information Security Management System (ISMS) and therefore Information Security Senior Professionals in the field structure are indispensable. Through the company-wide international standard ISO/IEC 27001 certification of information security management (ISO27001), the GIZ targets a wide variety of permanent restructuringprocesses, all of them requiring experts to coordinate and maintain these changes. While the company-wide coordination lies with the Chief Information Security Officer (CISO) and his/her Information Security Management Team (ISMT) located at the headquarters, the extensive local establishment and continuous operation of information security needs the support of a new local role, which works closely together with already existing local roles such as IT-Professionals and Digital Partners (DIPAs).

Area of responsibility

The goal of Information Security Senior Professional is to be a central single point of contact (SPoC) for organizational overview and control as well as professional knowledge concerning information security in the country office. As information technology (IT) has a big role in information security, IT-specific knowledge and/or close cooperation with technical roles is also an expected area of expertise. For the implementation of information security and the ISO27001-certification, the professional is expected to work within the existing management organization of local offices while initiating and controlling relevant processes.

Contents and Tasks
- Initial tasks

In the initial phase of implementation, the establishment of a local information security management is focused. To successfully do this, the Information Security Senior Professional establishes and later manages the security incident process, supports/accompanies the Audit Management process (including the local coordination of “penetration testing”) and ensures that a functioning vulnerability management is in place. As the local representation of the information security organization and thus the Information Security Management System (ISMS), the Information Security Officer acts as Single Point of Contact (SPoC) for information security. He also is the SPoC for projects of the portfolio and contact for all topics concerning information security. The professional ensures through a structural analysis (asset recording) an up-to-date and complete asset inventory (in cooperation with asset owners). Towards Headquarters, specifically towards the CISO, he/she provides structured reporting to the CISO. He/she is also responsible for recording the current status of information security, which includes the mentioned assets. The Information Security Officer establishes the local InfoSec Risk Management (IRM) and accompanying risk register which is implemented through identification of risks with asset owners, risk assessment with risk owner involvement, risk treatment management and further connected tasks.
- Continuous Operation and Updates

After the initial establishment, the Information Security Senior Professional is responsible for elaborating, reviewing, and updating the local security concept, the coordination and implementation of measures, guidelines/concepts as well as the adaptation of guidelines/concepts to local conditions. Concerning the information security awareness among employees, the Information Security Officer coordinates existing awareness measures and is to a limited extend personally responsible for the awareness/training efforts. He/She is further responsible for the control of the effectiveness of security measures, for revisions and audits and for ensuring the investigation of security-related incidents & coordination of their reporting (reporting system). As representative of the Information Security Management System Team (ISMS Team) the Information Security Officer (ISO) also has the permanent task of reporting to the CISO and supply necessary information for the management report of the CISO. For the local offices, the professional provides continuous consulting on information security topics and the constant operation of risk management and level estimation of information protection requirements.

Requisitos desejados: The Information Security Senior Professional is responsible for all information security issues in the country office. To carry out this work the following competencies and capabilities are expected or should be acquired within a reasonable period of time:

- 5 years work experience in an international organization, familiar with organizational structures and processes. Desirable experience in organizations with a minimum of 1000 employees;
- Experienced in conducting audits;
- Knowledge and experience in information security;
- Knowledge and experience in ISO/IEC 27001;
- Basic knowledge of actual Microsoft Software and Se