Position Overview:Responsible for supporting and maintaining Finning’s overall IT risk management program, identifying, evaluating and reporting on information security risks in a manner that meets Finning’s regulatory and other compliance requirements. Work with the various business units and other internal groups and organisations to implement practices that meet Finning’s defined policies and standards for information risk management.
Major Job Functions
Manage all risk related activities across FinUK BP&S, including planning, testing, reporting, and remediation recommending appropriate remediation activities. Manage risk policy, mitigation, and controls in conjunction with Chief Information Security Officer (CISO) to ensure effective management remediation efforts.
Work with Finning business units and departments to facilitate risk analysis and management. Identify acceptable residual risks and establish roles and responsibilities related to information classification and protection.
Design and conduct threat and risk assessments. Manage the oversight of technical risk assessments (e.g. vulnerability scanning, penetration testing). Manage information asset and application risk assessments. Manage third party risk assessments.
Conduct risk reviews for new applications. Review risk assessments and analyse IT control activities to provide reports and recommendations to the BP&S leadership team and CISO.
Coordinate information security and risk management projects across BP&S and the wider Finning business.
Ability to build and maintain harmonious and positive relationships with co-workers, staff and external contacts, and to work effectively in a professional team environment
Excellent written and verbal skills – including the ability to effectively communicate security and risk related concepts to technical and non-technical audiences – and good interpersonal and collaborative skills
Good communication skills when interacting with people at all levels – from developers to the board of directors – building a positive rapport
High degree of initiative, dependability, and ability to work with little supervision
High level of personal integrity, with the ability to handle confidential and otherwise sensitive matters professionally and with the appropriate level of judgement and maturity
Solid skills as a negotiator, to facilitate commitment to appropriate levels of residual risk from line of business leaders (desirable)
Basic knowledge of a broad range of standards and frameworks (e.g. ITIL, ISO 27001, CMMI) and risk management methodologies (e.g. COBIT, COSO)
A deep understanding of strategic business risks
Familiarity with the Caterpillar organisation and/or heavy equipment manufacturing is an asset
Ability to develop a comprehensive and deep understanding of Finning’s business, market and industry, and relate that knowledge to identified operations and IT-related risks
Knowledge necessary to propose relevant IT responses to changing business risks and regulatory changes
Maintain an understanding of current developments within the industry and regional legislative and regulatory frameworks that could affect established Finning IT policies and practices. Manage, communicate, and develop Finning’s risk and control matrix. Address deficiencies identified by automated assessments, monitoring reviews, internal and external audits, and self-assessments to ensure appropriate remedial measures are taken. Assist in the development of tools, training, policies, and procedures to support the security, risk and compliance program. Provide analytical support to the management team regarding metrics, reporting and special projects. Identify and implement opportunities for automation or efficiencies to improve governance/audit controls within BP&S. Review workflows, hand-offs, process steps and existing policies and procedures; analyse areas for improvement and provide recommendations. Identify and monitor non-compliance and raise when appropriate. Develop, promote and monitor the regional Finning’s Records Retention program and ensure alignment with Finning’s global records management practices. Work with business units to ensure data is properly classified. Maintains relationship with the Risk, Assurance and Advisory Services (RAAS) group. Provides oversight and management of audit finding remediation, including generating requirements for full remediation, providing feedback and suggestions on managerial responses to findings, and tracking progress. Works within the information security governance process to define control recommendations that are both efficient and effective. Coordinate Information Security Awareness initiatives. Prepare and present relevant material in collaboration with the Information Security Manager and Security Champions. Build positive empathic relationships with the Finning group and primary 3rd party providers. Work with 3rd party suppliers and BP&S to ensure approved processes are followed. Provide feedback to the Functional Excellence Manager on 3rd party supplier and BP&S performance. Responsibility for review of IT controls relating to service availability, governance, user access, security, data, network and 3rd party operations. Compliance and security oversight of 3rd party managed services. Responsibility to change control oversight, review, communication, authorisations. Review policy documentation for change control, incident management, asset coordination, disaster recovery, and security. Management and coordination of performance, response, and remedial actions relating to internal and external IT audits and 3rd party security assessments. Operational review of system vulnerability scan and event audit outputs and coordination of follow up activity. Ensure positive feedback from management/leadership team.
Education and Experience
Educated to Degree level
3 to 5 years’ experience in IT risk management or a related discipline
Experience of outsource services (desirable)
- Current level: 3B at least
- Current evaluation: 3.0 at least
- Current job position: 1 year
We are committed to diversity at Finning, to building and sustaining a diverse and inclusive workforce and as an equal opportunity employer we encourage applications from all qualified individuals. Finning does not discriminate against applicants based on genders, races, national and ethnic origins, religions, ages, sexual orientation, marital and family status, and/or mental or physical disabilities.