As the Information Risk Specialist, you shall support in the design and maintenance of the policies, procedures and organisational controls within R3’s information security management system (ISMS). Reporting to the Security Risk Manager, and part of a small team of information security specialists, you will ensure that the control environment supporting R3’s mission of enterprise software vendor, operator of the Corda Network and Managed Services offering is appropriately designed to address the information risks faced by R3. In particular, you will be helping to develop the control environment for the Corda Network, a publicly-available internet of Corda enterprise blockchain nodes and the R3 Managed Services offering to new clients.
You’ll be used to working in environments with mature security controls, but have the insight to bring a risk-based approach to a fast-moving company with a start-up culture. This is an opportunity to help “write the book” on building assurance and good security practices for enterprise blockchain. If this sounds like you, read on…
- Support the Security Risk Manager in the delivery of security governance, risk and compliance activities for R3.
- Facilitate different types of security risk assessments and manage the identified risks via R3 security risk register.
- Ensure risk treatment plans are communicated to appropriate stakeholders and track risk remediation activities through to completion.
- Assist with security assessments and due diligence activities of critical 3rd party suppliers/vendors.
- Support the Security Risk Manager in the development, operation and maintenance of R3’s security control environment (ISMS) including information security policies, standards and guidelines.
- Identify emerging security requirements from R3 clients and ensure that capabilities to meet those are baked-in to R3 products and services.
- Prepare for and assist with an external assessment of R3’s security control environment such as SOC 2 and ISO 27001 (R3 is undergoing a SOC 2 assessment within a year and in the process of completing Cyber Essentials/Cyber Essentials Plus).
- Develop the security assurance program as a positive differentiator for R3. A firm understanding of implementing mature security controls/practices across the organisation and engaging with stakeholders across the business.
- You’ll have three or more years experience in a direct information security role specialising in governance, risk and compliance activities.
- We believe that we work better as a team, and hope you share that belief. You’ll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
- You’ll need excellent communication skills, both verbal and written. You should be confident in explaining security terms and principles to an audience who may not be familiar with the underlying concepts.
- You will assist in defining the ISMS and controls assurance environment creating the appropriate documentation/evidence to support external assessments of R3.
- R3’s control environment is risk-driven. Working knowledge of ISO 27005 would be great, but experience with other standards will be acceptable.
- You will have worked in an organisation certified to ISO 27001 or gained SOC 2 certification. You will have been part of this journey and understand the practices which need to be adopted for achieving different certifications.
- A firm understanding of the security practices which should be adopted for different legal and regulatory requirements such as PCI-DSS, GDPR, or different regulatory bodies.
- Experience of conducting security assurance/assessment activities and able to demonstrate process improvements to enhance the maturity of security controls.
- Financial services experience would be ideal, but experience in organisations with a mature security environment would be preferable too e.g. large consultancy firms, telecoms, pharmaceuticals or critical infrastructure.
- You will have a solid appreciation of the variety of technical controls available to R3 including endpoint security, identity and access management, network security controls (firewalls, VPN), intrusion detection and security event management/log analysis tools. You won’t be expected to be hands-on with these tools, but you’ll certainly need to be aware of how they fit within the control environment which you will help to design and operate.
Additional Requirements (the nice to have…)
- Relevant professional qualifications would be great. We’d love an ISO 27001 lead auditor on the team. We have ISACA and ISC2 members already, so we’ll obviously look favourably on professional certifications from those bodies. You’ll need to demonstrate that any certifications you claim are valid and current (we will check).
- Understanding of public key infrastructure would be very useful. We’d be particularly interested to hear from people who’ve worked in internal PKI teams or for commercial CAs.
- An engineering or science degree would be great, as would, an appropriate MSc. Appropriate career experience is just as important though. Be prepared to tell us all about that experience.
How We’re Handling Covid-19
We are extremely grateful to continue to grow as a company during these unprecedented times. Our #1 priority is the health, safety, and wellbeing of our current and future R3’ers. We want to share with you what we’re doing and what you can expect throughout our interview and on-boarding processes.
Since March, most R3’ers have been working remotely, although we have opened some key office locations global, with limited capacity for those that cannot work from home or need to come into the office.
As you go through the virtual interview process with us, please don’t worry if children or pets make a guest appearance. We understand these things happen- it’s real life after all! If we are fortunate enough to welcome you to the team, we’ll get a laptop couriered to you and get you set up virtually on your first day. We also provide you with a “Work From Home” allowance to enable you to purchase some equipment to be more comfortable and productive.
We Have And Will Continue To Take Steps To Ease Some Of The Burden For Our R3’ers
We understand that Work From Home (WFH) life can be challenging in many ways, so some of the additional support measures we have in place include;
- New Starter WFH allowance (as mentioned above) to get you setup to work productively at home
- Additional access to wellbeing resources (as well as the support provided as part of your Vitality Private Medical) including a year’s free subscription to the Headspace app and modules on our Lessonly training platform from MindGym (including Goal getting, Stress Busters and Virtual Work)
- We also have additional health and wellbeing resources available on our wiki pages when you join.
R3 may process the personal data collected or identified as being imported in accordance with R3’s Recruitment Privacy. Read the policy here. In particular, R3 will use the personal data provided for the purposes of processing your application for the role you have applied for, to assess your suitability for the role as well as to enter into a contract with you if you are successfully brought onto the R3 team.