Specialist, Risk & Compliance (IT Sec.)

JOB PURPOSE:

Formulate and implement a forward-thinking strategic risk management framework that aligns with the organization's long-term objectives including identifying, assessing, and mitigating strategic risks to safeguard the organization's reputation, financial stability, and sustainable growth.

KEY ACCOUNTABILITIES:

Risk Assessment

• Conduct risk assessments within the organization's Digital/OT cybersecurity including identifying and evaluating potential IT/OT risks and vulnerabilities that could impact the organization's strategic objectives, financial stability, and overall performance.
• Model hypothetical scenarios that could pose significant risks to the organization and develop strategies to mitigate these risks.
• Assess risks accurately and provide actionable recommendations in helping the organization make informed choices and interventions.
• Collect evidence for relevant risks controls implementations.  

Strategic risk management framework

• Implement a strategic risk management framework to address identified risks in a systematic and proactive manner, aligning risk mitigation strategies with the organization's long-term goals.
• Prepare annual plan and demands for relevant IT/OT Risk Management and compliance.
• Report on Digital/OT Cybersecurity risks, compliance actions, and treatment plan.
• Work closely and Support the ERM team for management of risks and their controls in ERM register.
• Perform the role of Risk Champion for Digital Division as part of Corporate and Group ERM processes.
• Setup and manage governance structures to manage risk profile and cybersecurity scorecards.
• Manage risk reporting and communication at levels in Group Company and HQ.

Compliance monitoring

• Monitor and assess compliance with relevant laws, regulations, and industry standards. Develop and maintain a compliance framework that aligns with leading practices.
• Stay updated on changes in relevant regulations and standards that may impact the organization’s operations and ensure timely adjustments to compliance procedures.
• Work closely with ADNOC HQ/Group Digital to develop, enhance, and maintain compliance programs, policies, procedures, and guidelines that align with industry leading practices and regulatory requirements.
• Implement and utilize relevant compliance monitoring tools and technology to automate compliance checks, streamline reporting, and enhance the efficiency of compliance monitoring processes.
• Monitor compliance of third-party vendors, suppliers, and partners to ensure they meet relevant organization’s standards and regulatory requirements.
• Develop and maintain a relevant due diligence process for onboarding and monitoring third-party relationships.
• Track Cybersecurity controls implementation in liaison with local functions, Shared Services and Group Digital, along with their evidence.
• Conduct OT Cybersecurity compliance review.

Monitoring Key Risk Indicators (KRIs):

• Identify and track key risk indicators (KRIs) that are relevant to compliance and can serve as early warning signs for potential compliance issues.
• Develop a system for relevant regular KRI reporting and analysis and initiate appropriate actions in response to deviations from expected compliance levels.

Security and compliance training and awareness:

• Organize and facilitate compliance training programs and awareness campaigns for employees, contractors, and relevant stakeholders to promote a culture of relevant compliance.
• Ensure employees understand their relevant compliance responsibilities and obligations.
• Conduct awareness sessions for users in any aspects of Cybersecurity and Information Assets Protection.
• Support in design and provision of different awareness / training contents.
• Analyse effectiveness of provisioned awareness / trainings.

Incident reporting and response:

• Supporting the relevant process for reporting and follow ups for compliance violations, incidents, or breaches.
• Implement incident response plans to address relevant compliance violations promptly and effectively, ensuring proper documentation and corrective actions.
• Work closely and support SOC, VMS and Red teams for handling and follow up of reported incidents.

Regulatory liaison:

• Where necessary, maintain positive relationships with regulatory authorities and external bodies, ensuring or supporting timely and accurate submission of required compliance documents and information.

Compliance culture advocacy:

• Act as an advocate for a strong compliance culture within the organization, emphasizing the importance of ethical conduct, integrity, and adherence to compliance standards at all levels of the organization.

Projects and KPI Management:

• Manage and track relevant projects in liaison with local functions, Shared Services and Group Digital.
• Communicate, Support and Coordinate with stakeholders during relevant Group Digital Cybersecurity projects activities.
• Engage in relevant scoping, technical evaluation and call off orders.
• Plan, supervise and coordinate relevant activities to meet functional and group objectives and KPIs.

Business Continuity Management:

• Prepare relevant annual DR Drill plan and demands for Digital Business Continuity Management in liaison with local functions, Shared Services and Group Digital.
• Work closely with local functions, Group Digital and Shared Services to identify relevant potential impacts of various disruptions / incidents and disaster scenarios and contribute to making recommendations.

Minimum Qualification

• Bachelor’s degree in computer science, engineering, information security or equivalent

Minimum Experience & Knowledge & Skills

• 10 years of experience in IT/OT risk management, security governance, audit projects
• Proven capability in International Standards such as ISO 27001, ISA/IEC 62443, CSA, COBIT, CIS, Cybersecurity Standards, NIST, etc.
• Certification in at least one of the following: CGEIT, CISSP, GICSP, CCSK, CISA+CISM
• Good technical competencies and exposure to IT/OT application or infrastructure development, support, and management of PLC, DCS, SCADA systems.