Company Background
Ayvens is a leading provider of mobility services worldwide with 3.3 million vehicles under management. The Ayvens brand was launched in 2023, following the merger of the ALD and LeasePlan leasing groups to create a market leader in mobility. Ayvens is part of the Societe Generale Group.
In Ireland Ayvens operates leasing and insurance units. Ayvens is seeking an Information Risk & Security Officer to oversee information security risk in its Irish units.
Job Purpose and Reporting Line
The Information Risk & Security Officer role forms part of the second line of defense Risk Function. The role is responsible for oversight of information security policies, standards and processes and for providing subject matter expertise and guidance on security risks, their assessment and relevant mitigating actions. The Information Risk & Security Officer role will form part of the Risk Function.
This position constitutes a controlled function under the Central Bank of Ireland Fitness and Probity Standards and the role is subject to approval pursuant to such Standards.
Scope of Responsibilities
The Information Risk & Security Officer is responsible for:
Defining and monitoring the implementation of policies on topics related to IT, information and cyber risks.
* Align policies with local regulations, including DORA
* Oversee the implementation of the framework for managing IT, information, and cyber risks
* Oversee information risk management when undertaking projects and report as required
* Review and monitor training on IT, information and cyber risks
* Create awareness in the first line relating to information risk rules, policies and procedures
* Challenge and analyse systems for managing and monitoring IT, information and cyber risks
* Provide an opinion on implementation of policies, standards and procedures.
* Leading the second-line role in relation to DORA and providing guidance, advice and challenge in relation to compliance with same.
Contributing to ensuring the overall control of IT, information and cyber risks
* As an independent critical mind, challenge decisions of management of the business, ensuring these are based on complete and transparent information
* Take part in coordinating and monitoring corrective action plans
* Coordinate and execute second line oversight and challenge in relation to IT, information and cyber risks
* Continuously oversee and report on the effectiveness of LOD1 controls and the adequate identification and measurement of risks
* Monitor the quality of information risk assessments, vendor risk assessments and the quality of control testing
Risk identification and monitoring
* Challenge IT, information, and cyber risks indicators provided by LOD1
* Be the point of contact for all topics related to IT, information, and cyber risk
* Challenge and assist in the implementation of the information risk management measures to ensure that the processes and controls in place in the LOD1 are properly designed and effective
* Challenge and quality assure risk assessments by the business, to ensure they sufficiently address relevant Information Security risks and risk responses (including risk acceptance)
* Carry-out second-level control testing to verify the adequacy and effectiveness of controls performed by LOD1
* Develop and maintain the Information Risk & Security Risk monitoring plan including thematic reviews of the information risk framework
* Advise and support the LOD1
* Oversee, challenge and report on the Information Security performance of outsourced service providers through review of assurance reporting
Privacy second line oversight
* Carry out LOD2 activities as required by Group Data Privacy Policies.
* Challenge and assist in relation to data privacy assessments completed by 1LOD functions.
* Assess, monitor and report on privacy and data protection risks and the effectiveness of controls in relation to new/existing products, systems and processes etc.
* Create awareness in the first line relating to data privacy requirements, policies and procedures and assist with staff training on data privacy topics.
* Facilitate the identification and management of potential situations and/or risks in projects and processes
* Ensure data protection incidents are properly identified, investigated, reported and resolved, taking measures to prevent them from happening again, with the aim of minimizing the occurrence of situations that jeopardize Ayvens reputation
Reporting
Report to the Risk Committees and other committees regarding information risk as requested. Build and maintain relationships with Group Risk, Group Information Security, the Group IT organization, the Group Privacy function and program/project managers on their Information risk exposure, appetite and treatment.
Skills required
* University level education
* 3+ years of relevant experience.
* CISSP and CISM (or equivalent) accredited or obtain these in the short-term (1-2 years).
* Up to date CPD for qualification held (where applicable)
* A background in Information Security and a strong affinity with IT is preferred.
* Strong analytical skills. You will need to be able to quickly get to the bottom of the most important vulnerabilities, threats, and potential controls.
* Experience in providing advice on data protection best practices
* Previous experience of working within the three lines of defense model
* Ability to develop and maintain valuable stakeholder relationships
* Good communication and presentation skills. Comfortable and experience in addressing groups, subject matter experts and middle / senior / top level management. Know when to listen.
* English (fluent, spoken and written)
Behavioural competencies required
* Critical but constructive mindset, forming your own opinion based on your own analysis and observations.
* Pro-active.
* Ask for help when needed.
* Eager to explore and learn new things.
* Give advice with the business objectives always in mind.
* Timely manage stakeholder expectations.
* Uses a creative approach to explain technical topics to various types of audience
Under group polices, the role forms the second-line information risk function and second-line privacy function.
Job Types: Full-time, Permanent
Application question(s):
* What are your salary expectations?
Work authorisation:
* Ireland (required)
Location:
* Leopardstown, CO. Dublin (required)
Work Location: In person
Expected start date: 01/07/2025