Governance Risk Compliance and Information Security Analyst

The primary role of the Governance Risk Compliance and Information Security Analyst is to support the Security Architect in protecting the Confidentiality, Integrity and Availability of the Group's information assets via the delivery of the Halfords Governance, Risk and Compliance framework, as well as by the operation of Halfords security processes and procedures.

You will deliver your work through Halfords Governance, Risk and Compliance framework and its security processes and procedures that:

• Supports the ongoing alignment of information security strategy to business objectives


• Manages risk registers and audit findings, ensuring risks and findings are actively managed by their owners and that exception requests are subject to appropriate authority


• Delivers robust governance processes in the delivery of Halfords Technology capabilities


• Manages an effective information security risk management capability that assesses and manages risk to an acceptable level


• Delivers security processes that include self service capabilities and automation


• Implements an ongoing information security compliance programme


• Supports project and initiatives to ensure that security requirements are incorporated and addressed via a secure by design approach


• Reviews and approves changes as part of Halfords technology change management process.


• Provides a focal point within Halfords for information security expertise


Key Responsibilities

The job holder will be responsible for delivering the following capabilities;

Governance

• Supporting the implementation of the information security programme


• Managing and updating Halfords GRC tool to ensure effective operation of Halfords Security and Privacy processes


• Managing the Halfords Security and Privacy project/initiative engagement processes


• Driving information security policy development and annual review processes


• Ensuring that colleagues, contractors, and vendors are aware of and understand Halfords information security requirements and guidance. This may include delivery of training.


• Consolidating relevant audit actions and tracking remediation through to closure


• Acting as an information security subject matter specialist to the business


• Producing monthly metrics and management reports


Risk

• Maintaining the information security and technology risk register in the GRC tool


• Carrying out information security risk assessments for projects, key systems, and third parties


• Ensuring that risks/issues are identified and evaluated in line with Halfords risk methodology


• Ensuring risks are owned at the appropriate level, actively managed, and that exception requests are subject to appropriate authority


• Assisting with the development of the GRC tool and processes driving continual improvements in effectiveness and efficiency


• Supporting the information security incident response process as required


• Producing monthly metrics and management reports


Compliance

• Carrying out compliance assessments including but not limited to:

+ Halfords information security controls
+ Identified external regulations
+ Contractual obligations

• Acting as a point of contact for internal and external information security audits


• Tracking noncompliance and audit findings through to remediation and closure


• Contributing to third party due diligence questionnaires received by Halfords


• Maintaining a rolling 12-month compliance schedule


• Producing monthly metrics and management reports


• Coordinating Halfords annual PCI-DSS assessment
  
  Must have proven experience and knowledge of:

+ Information security risk and compliance management
+ Cyber/information security concepts
+ Conducting information security risk assessments
+ Conducting and coordinating compliance assessments
+ Writing information security policies and controls

• Should have experience and knowledge of

+ Information security frameworks such as ISO 27001 and Cyber Essentials
+ Payment Card Industry Data Security Standard (PCI DSS)
+ Governance Risk and Compliance tools
+ Information Security Technical controls
+ Enterprise IT environments
+ Data Protection frameworks and requirements

• Key Skills

+ Essential
o Excellent written and oral communication skills
o Able to present risk in 'non-technical' business-friendly accessible language
o Ability to effectively prioritise and execute tasks in a high-pressure environment
o Fast learner with a "can do" attitude
o Ability to work independently and as part of a team
+ Desirable
o Working towards one or more of the following qualifications
# Certified Information Systems Security Professional (CISSP)
# Certified Information Systems Auditor (CISA)
# Certified Information Systems Manager (CISM)
# Certified in Risk and Information Systems Control (CRISC)