Job Description

Reporting structure

Senior Information Security Officer (Nakilat)

Job Summary and Purpose

Drive a strong and robust information security management system in the organization through threat/vulnerability detection, security scanning, penetration testing, security monitoring, identifying IT/OT security risks and other related information security activities. Ensure adherence to the various internal and international information security standards and also to provide technical consultation on multiple information security issues.

Accountabilities

Key Accountabilities: Information Security Management (Nakilat Shipyard Joint Ventures): 1. Identify information security vulnerabilities and threats in the company IT/OT technology network and infrastructure using various techniques e.g. penetration testing and vulnerability assessment. 2. Collate information from the conducted assessments and recommend appropriate remedial steps. 3. Coordinate the development of the organization's disaster recovery and business continuity plans for information security, and tests readiness. 4. Develop, review improve and update information security policies, procedures, guidelines and other related documents. 5. Provide support to build the organization wide information security awareness and training programs. Contribute and provide contents for its awareness activities. 6. Monitor, evaluate and ensure the segregation of duties on all systems in order to mitigate the risk of unintentional and/or deliberate system misuse. 7. Ensure compliance with the applicable internal and international information security standards (NIA, ISO27001). 8. Monitor changes in legislation and accreditation standards that affect information security, notify the concerned parties and assists other departments to ensure regulatory compliance. 9. Ensure appropriate administrative, physical and technical safeguards are in place to protect information assets from internal and external threats. 10. Liaise and maintain contact with law enforcement authorities, regulatory bodies, security groups and industry forums in the field of Information Security. 11. Prepare security baselines and safeguard applications, operating systems and infrastructure devices by adopting the latest standards. 12. Resolve information security issues and improve the information security performance by providing technical consultation in system development, acquisition, procurement, implementation, change management, operation/support, and architectural and other ad-hoc projects. 13. Assist in operation areas related to information security and follow the related processes to provide support in information security initiatives. 14. Work with the concerned parties on the security incidents and vulnerability management processes from design to implementation and beyond.

Accountabilities - 2

15. Review technical information in the requirements statements, feasibility analysis, operating procedure manuals, and other documents produced in the process of system development. 16. Monitor and assess the system security, system audit trails/logs and the veracity of system configurations whenever required. 17. Assist in performing on-going security monitoring of information systems including assessing information security risk, conducting functional and gap analyses to determine the extent to which key business areas and infrastructure comply with statutory and regulatory requirements. 18. Evaluate and recommend new information security technologies and countermeasures against threats to information or privacy and developing security reports and dashboards. 19. Provide assistance in identifying, recording, reporting and resolving the various security violations. 20. Support and assist the other activities linked with Enterprise Risk and Business Continuity Management such as Risk Assessments and Business Impact Analysis.

Accountabilities - 3

Generic Accountabilities: Quality, Health, Safety, & Environment (QHSE): 21. Adhere to all relevant QHSE policies, procedures, instructions and controls so that NAKILAT provides a safe, world class, secure and environmentally responsible service to customers, the public and its own people. Policies, Systems, Processes & Procedures: 22. Implement approved policies, processes and procedures, and provide instructions to subordinates to ensure their proper implementation. Others: Carry out any other duties as directed by the immediate supervisor.

Accountabilities - 4

Competencies

Achievement Oriented Collaboration & Teamwork Customer Centricity Drive Vision Empower & Nurture Talent Interactive Communication Solution Oriented

Key Result Areas

. Contribute to the development and management of policies and procedures for Information Security Management. . Develop and contribute organization wide information security awareness programs and training. . Prepare Information Security related risk assessments, reports and other relevant documentation. . Conduct the required tests to identify threats and vulnerabilities for IT and OT infrastructure.

Interactions and Working Relations

Internal: Interaction with all staff on information security activities such as data classification, access review, threats and vulnerabilities identification, support and contribution to Information Security initiatives and projects. External: Interface with vendors and external auditors for information security related matters.

Financial Authorities

As per TOFA.

Qualifications, Experience and Job Skills

Qualifications: . Bachelor's Degree in Computer Science or any other equivalent field. . Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Certified ISO27001 Lead implementer are required. Globally recognized credential certification is preferred in Information Security domain for example, CISM, ISO27001LA. Experience: . Minimum of 4 years of Information Security experience. IT background is preferred. Job Specific Skills: . Ability to manage pressure, prioritize needs, requirements and positively interact with the company users and external parties. . Ability to trouble shoot and investigate information security incidents. . Knowledge of Information Security Management System (ISO 27001) and other Information Security framework (NIST). Security related qualifications (e.g. CISSP, CISM, CEH, ISO 27001 LI/LA). Job Specific Competencies: ii. Technical 8) Business /Industry Knowledge 9) Enterprise Risk Management 10) Business Risk 11) Risk Project Management 12) Business Continuity Management 13) Governance 14) Risk Management Methodology/Process 15) Risk Identification and Assessment 16) Business Impact Analysis 17) Risk Response & Reporting 18) Risk Mitigation & Control 19) Information Security Management