InfoSec Change Manager (Consultant)

The Infosec Change Manager is responsible for evaluating, approving, and overseeing all business and technology changes, including infrastructure upgrades, firewall ACL requests, new project initiatives, and service requests. This role works closely with subject matter experts (SMEs) within the Information Security team to ensure that changes align with security policies, regulatory requirements, and operational risk frameworks. The manager will serve as the primary gatekeeper to protect critical assets and minimize the risk of unauthorized or misconfigured changes.

Key Responsibilities:

• Evaluate infrastructure upgrades, patching, and technology refreshes, ensuring embedded security controls and risk mitigation strategies are in place.
• Assess and approve code changes to ensure secure coding practices, vulnerability management, and compliance with development standards.
• Review and approve firewall ACL change requests to ensure compliance with network security policies and minimize exposure to risks.
• Ensure that Data Loss Prevention (DLP) policy changes align with data protection policies.
• Approve vulnerability assessment scanning schedules and integrate results into remediation plans.
• Evaluate and approve security exception requests, balancing business requirements with risk management and compliance.
• Oversee changes to security tools, endpoint configurations, and monitoring systems to ensure continuous protection.
• Evaluate new project proposals to ensure security-by-design principles are integrated throughout the planning and execution phases.
• Approve service requests impacting information security, including cloud provisioning, third-party integrations, and privileged access changes.
• Develop and maintain a standardized change approval framework and Standard Operating Procedures (SOPs) covering application, infrastructure, and network layers.
• Oversee the annual calendar for recurring assessments and audits of previously approved changes to ensure ongoing compliance with security policies.
• Collaborate with development, DevOps, and IT teams to embed security controls throughout the change lifecycle.
• Provide regular reporting on high-risk changes, security exceptions, and the overall effectiveness of change controls.
• Participate in weekly Change Approval Board (CAB) meetings.

Operating Environment and Working Relationships:

• Operates in a highly regulated environment, ensuring compliance with security, operational, and regulatory mandates.
• Works across multi-vendor and hybrid infrastructures, including cloud environments and third-party integrations.
• Coordinates with cross-functional teams to manage changes impacting sensitive financial applications and customer data.
• Adheres to international security standards (ISO 27001, NIST 800-53, PCI DSS).
• Aligns with established Change Management, Governance, and Risk frameworks.
• Works closely with IT Security, Network, Infrastructure, DevOps, Audit, Service Management, and Risk Management teams.
• Collaborates with external auditors and regulators during security reviews and assessments.

Problem Solving:

• Analyze issues to identify root causes and prepare remediation solutions.
• Implement and manage effective change management for new solutions or corrective actions.
• Prepare business impact analyses for all identified problems, leveraging a deep understanding of the IS ecosystem.

Decision Making Authority & Responsibility:

• Works independently with minimal supervision and contributes to policy preparation, regulation applicability, scoping, and control decisions.