Ashurst is a leading progressive global law firm with a rich history, celebrating its bicentenary in 2022. We are proud of our history and future-focused, having expanded into new technologies through our NewLaw division, Ashurst Advance, and our consulting arm. Our in-depth understanding of our clients and commitment to providing excellent standards of service have seen us become a trusted adviser to local and global corporates, financial institutions and governments in all areas of commercial law. To find out more please visit www.ashurst.com .
In order to comply with regulatory and client requirements, Ashurst will undertake appropriate vetting of staff. When applicants accept a job offer, Ashurst, alongside a specialist provider, will undertake professional verification and background checks. These checks are only undertaken with consent, and in accordance with our legal and regulatory obligations.
The primary role of the information security officer is to enable the Information Security function to deliver first class and timely security advisory and security assurance services to all areas of the Firm . Therefore supporting the objectives of the information security programme.
This is a senior role within the information security function and therefore this role is expected to communicate information security strategy and its requirements to all internal and external stakeholders
Information Security Consultancy
As a trusted information security advisor with expert knowledge. Work with internal and external stakeholders to -:
- Respond to internal and external questions and queries in relation to the Firms information security control and governance framework.
- Provide high quality and commercially appropriate consultancy services that is fully aligned with business risk appetite.
- Provide subject matter leadership and response to information security-related incidents, such that these are investigated in a timely manner , communicated effectively and appropriate actions are taken.
- Provide regular insights to the threat landscape faced by Law Firms to enable timely evidence based advice on threat mitigation techniques.
- Support the wider activities and responsibilities of the Information Security function specifically relating to the execution of the requirements of the Information Security strategy & operation and maintenance of the ISMS , as directed by the ISMS Manager.
- Work closely with 3rd party suppliers to assess and audit their information security posture , communicate new requirements and track remediation of findings through to conclusion.
- Responsibility for responding to client security questionnaires , highlighting any gaps in compliance for remediation and proposing alternative compensating measures.
- Responsible for delivery of information security compliance and assurance assessments for IT and business projects.
- Maintain an in-depth knowledge of all relevant information security standards and frameworks including ISO27001, NIST SP800 series , ASD Top25 and Cyber Essentials.
- In-depth knowledge and practical demonstratable experience of using Information Security Risk Management techniques and methodologies to drive stakeholder risk strategy decision making.
- Preparation , review and socialisation of security policies, procedures and standards. Addressing issues and motivating consensus and awareness throughout the organisation.
Information Security Advisory in IT & Business Projects
Undertake information security advisor role for IT and Business Projects. Responsibilities include -:
- Conduct information security risk assessments including identifying appropriate risk mitigation controls. Document associated risk treatment plans in sufficient detail for project team to implement.
- Validate common and system specific mitigation controls for each project deliverable has been appropriately implemented and is operational.
- Work with Project Teams to ensure necessary IT system specific information security documentation is delivered as part of business take-on process. and supporting materials in relation to specific projects.
- Collaborate with Data Privacy and Business Continuity functions to provide relevant information for both topic areas.
- Provide all assurance actions, information and documentation required to obtain approval from information security accreditor for the project deliverables.
- Ensure all Information Security related requirements for each project is delivered in accordance with the Firms Project Management quality criteria.
- Work with external technical security assessment organisations to define the specific requirements of penetration testing engagements . Obtain approval from other project teams and lead any remediation action planning activities in line with policy requirements
3rd Party Security Advisory and Assessments
Undertake information security audits & assessments of 3rd party services to the Firm including cloud service providers. Responsibilities include -:
- Work independently and as required with internal stakeholders to effectively assess the security control and governance framework of prospective and existing 3rd party technology solutions and cloud service providers.
- Conduct 3rd party information security risk assessments for prospective 3rd parties including identifying risk mitigation controls. Documenting and reporting findings to vendor management team.
- Assess , define and support legal advisors with the negotiation of contractual security requirements.
- Conduct regular assessments of 3rd party compliance to the firms information security requirements , either remotely on via on-site assessments.
Security Awareness Duties
Actively participate in the Firms Cyber Awareness programme. Defining and delivering content via multiple communication channels for staff and 3rd parties. This includes attending 'Town Hall' meetings , Supplier service review meetings , practice and division meetings to educate staff on the role they play in protecting information assets.
Security Incident Response Duties
Supports the Firms information security incident management processes . Leads or participates in assigned information security response scenarios and root cause analysis.
Security Controls Assurance Assessment Duties
Conducts information security administrative , physical and technical controls assessments to ensure security controls have been implemented and continue to operate effectively in order to mitigate threats appropriately and in compliance with the information security policies and associated standards.
Support ISMS Continuous Improvement Activities
Participate as directed in the activities required to maintain and continuously improve the Firms ISMS.
Risk and Control: Ensure that all activities and duties are carried out in full compliance with our regulatory requirements and internal policies.
Essential skills and experience:
- Thorough understanding and demonstrated experience implementing and assessing ISO 27001/27002 controls.
- Industry certified such as CISSP, CISM and/or CRISC
- Industry certification in AWS and/or AZURE Cloud Platform
- Certified ISO27001 Lead Auditor , CISA,
- Excellent knowledge of IS027005 Risk Management standard or NIST RMF
- Knowledge of global Data Protection and Privacy regulations
- Ability to work with and across all business support functions in the firm
- Excellent analytical skills
- Excellent written and communication skills
- Able to understand, interpret and respond to client requirements.
- Able to operate effectively and independently or as a member of a wider project team.
- Awareness/exposure to different software development life cycles and methods
- Produce high level solutions/approaches, requiring systems analysis and design skills
- Advanced knowledge of using MS office applications including MS Word , MS Excel and PowerPoint.
- Able to manage own workload and handle multiple tasks simultaneously
- Detail oriented with an ability to work accurately and efficiently even when under pressure
- Ability to complete set tasks with minimal supervision
- Tactful and diplomatic when in pressured situations
- Uses initiative - 'can do' approach
Desired skills and experience:
- Previous experience of working for a professional services organisation or within the legal sector
- Familiar with ITIL, Prince 2, Agile
- Previous experience of implementing the NIST Risk Management Framework