Information Security Analyst
Clifford Chance is one of the world's leading law firms, helping clients achieve their goals by combining the highest global standards with local expertise. The firm has unrivalled scale and depth of legal resources across the three key markets of the Americas, Asia and Europe and focuses on the core areas of commercial activity: capital markets; corporate and M&A; finance and banking; real estate; tax; pensions and employment; litigation and dispute resolution.
Alongside world-class legal careers, Clifford Chance offers excellent opportunities in the support functions that underpin its business operations. By joining us in business services, you will help us to innovate in the way we deliver our services and enable us to run a successful multinational business that never stands still. Business services are integral to the running of the firm and are critical to its success.
Clifford Chance is not alone in facing increasing cyber security threats and information risks, along with heightened client scrutiny of our information security controls. The IT Risk team has an important remit to provide governance, coordination and leadership across these areas, drive continuous improvement, and provide assurance to our clients. We are a small team that works closely with our colleagues in IT Security, all other parts of IT and right across the firm globally.
This is a new role, reporting to the Head of Information Security (who acts as the firm's Chief Information Security Officer). IT Risk requires a fast-learning and self-motivated individual to add capability and capacity to our small team.
IT Risk is evolving to dynamic business needs, a rapidly changing threat environment, and the firm's own ambitious IT Strategy. This role will help play a key part in implementing and improving the underlying processes required to provide a structured, systematic and audited approach to IT Risk across the firm. The role will have clear areas of focus combined with periodic involvement in a broad spectrum of information security activities.
The key tasks and responsibilities include, but are not limited to, the following:
• Work with the Head of Information Security to create and agree an improved structure and roadmap for conducting information security risk assessments, including:
o Reviewing and advising internal projects and initiatives;
o Reviewing external service providers and data custodians;
o Agreement of ownership, associated tracking, follow-ups, and management reporting.
• Partner with key roles such as architects and design authorities to drive new and enhanced security models and defined risk tolerances, e.g. in the areas of identity management, compliance monitoring, and data governance.
• Assist in developing IT Risk tools and techniques to support the developing IT strategy, including the management of risks relating to outsourcing, third-party hosting, cloud vendors, and consumerisation challenges.
• Support the firm's cybersecurity strategy and programme by assisting the head of Information Security where needed, e.g. helping to carry out threat monitoring, research, and elements of policy change and programme delivery.
• Participate in the evaluation, selection and implementation of security products and technologies.
• Provide support and cover for certain time-critical elements of IT Risk team responsibilities, such as incident management and security investigations.
• Support the firm's ISO27001-certified ISMS through risk assessment work, assistance during audits, documentation, and other continuous improvement activities.
• Plan, organise and deliver a series of security penetration tests (some regular, some ad-hoc) by working with external suppliers and internal applications & infrastructure colleagues.
• Work with external/client auditors as required.
• Maintain an awareness of current and developing threats and reflect these back into the risk management processes.
• Assist with Security Awareness initiatives.
• Assist with KPI collation and analysis.
The candidate must have experience of performing information security risk assessments, ideally with knowledge of ISO27001, SANS20 and NIST cyber security frameworks. They should be able to rapidly assimilate technical information to assess and document risks, have the knowledge and skills to engage with different levels of seniority, balance the need to obtain information with provision of support and advice, and continually demonstrate how IT Risk supports the firm's business objectives and our clients' need for information assurance. They should be able to apply an organised approach to managing and prioritising multiple concurrent assignments.
Although no formal qualifications are mandated, the successful candidate is likely to be degree educated and have one or more of the following – CISSP, CISA, CISM or CRISC.
It is essential that the successful candidate is a self-starter with an inquisitive, pragmatic and flexible approach backed by the tenacity to pursue enquiries through to a timely conclusion. It will be important to remain focussed on the strategic goals whilst maintaining an eye for detail.
The role may bring the candidate into contact with sensitive information and, as such, the ability to press ahead to a pragmatic conclusion whilst exhibiting the utmost discretion is important.
Experience in developing and using structured documentation – process, format, logical content, version control etc is also important.