Job Title: Security Manager
Experience : 3 years to 5 years
Department: IT Infra
Location: Thane
Purpose of the Job:
- To keep up to date with security trends, threats and control measures, to be an active member of the Information security manager communities.
- To carry out technical vulnerability assessments of IT systems and processes, identifying potential vulnerabilities, to make recommendations to control any risks identified and to ensure they are implemented.
- He should prepare the security plan for software and IT Infra and conduct the internal audit and build mechanism to ensure the security compliance. Interact with all stakeholders to ensure the compliance.
- Standardization of Inventory of authorized and unauthorized devices — That can include specific lists of device models that are allowed or banned, or lists of criteria devices must meet before they’re allowed on the network.
- Standardization of Inventory of authorized and unauthorized software — Likewise, organizations should know what software is allowed on their systems and have a way to monitor applications that aren’t allowed.
- Secure configurations for hardware and software — All devices, including PCs, laptops, mobile devices and servers, should be properly configured to prevent cyber attacks. Hackers often exploit default configurations, so an IT security plan should include procedures for verifying secure configurations before a device is connected to the network.
- Ensure Secure configurations for network devices — Likewise, routers, firewalls, switches and other networking devices must be properly configured to protect against cyber attacks. In many organizations, vulnerable configurations build up over time as changes are made and then forgotten about.
- Continuous vulnerability assessment and remediation — he should conduct the automated vulnerability testing to scan for security holes on at least a weekly basis. Security Head should prepare the procedures to make sure vulnerabilities found are fixed in a timely manner.
- Defences against malware — Malware is one of the most common cyber-attacks against businesses, and an effective IT security plan will include a variety of defences, such as installing anti-malware applications, disabling auto-run features on users’ machines and improving email protection.
- Secure web applications — Hackers can access networks through vulnerabilities in web-facing applications. Often businesses are attacked after trusting applications developed by third parties, so he should conduct the test of all software before they’re used.
- Secure wireless devices — Many attacks stem from wireless networks, either because nearby attackers access the network through Wi-Fi, or data is stolen when users connect to unsecured wireless networks. He should monitor traffic on their wireless networks and use enterprise-level security controls to protect access points, as well as create policies and training to ensure safe Wi-Fi use among employees.
- Data recovery capability — He must make sure data is backed up in case it’s damaged or destroyed by cyber attacks or other incidents. He should ensure that an IT security plan to include regular tests to make sure data is backed up and recoverable.
- Security skills assessment and training to everyone in the company should be given a security skills assessment and offered training to cover any gaps.
- Control of ports and services — In addition to user desktops and web applications, hackers can gain access to companies’ networks through web servers, mail servers, file and print services, DNS servers and other services, often because they were enabled by default without IT’s knowledge.
- Controlled administrative privileges — A large number of data breaches are blamed on a company’s own employees — either because they intentionally stole data or their negligence led to a breach. One way to lower risk is to limit the access privileges employees have to only what they need to do their jobs.
- Data categorized based on sensitivity — Likewise, it’s important to limit access to individual sets of sensitive data to only the people that need to see them. To do that, businesses must take an inventory of their data and create categories based on sensitivity.
- Audit administrative accounts — Attacks often exploit inactive user accounts to gain entry into a network. IT must make sure it closes accounts as soon as they are no longer needed — that means they should be in close communication with HR so they’re immediately aware of personnel changes.
- Boundary defenses — To effectively keep attackers from gaining access to the network, the CCA recommends a multi-layered IT security plan that includes firewalls, proxies, perimeter networks and other tools, as well as blocking inbound and outbound traffic to and from blacklisted IP addresses.
- Monitoring and analysis of audit logs — While preventing attacks is important, it may be even more critical to detect attacks that do happen and prevent them causing more damage. One way to do that is to create regular network audit logs and check them for anomalies.
- Protections against data loss — Data often falls into the wrong hands after a computing device is lost or stolen or it’s siphoned off the network after a cyber attack. One key protection against both those types of incidents: encryption.
- Effective breach response plans — The sad fact is that data breaches will occur — but IT can help protect against damages to company’s reputation and bottom line by making sure an effective data breach response plan is in place before an incident occurs.
- Securely designed networks — Even when all controls are implemented as part of an IT security plan, the CCA says attacks can still occur in networks that are poorly designed. One big problem: Many networks fail to keep different segments separate, leaving the whole network vulnerable in case of an attack.
- Penetration testing — Finally, a good IT security plan will call for regular penetration testing to discover vulnerabilities that may be left open despite the other security controls. He should ensure the same as per security Plan.
- To develop and maintain the information security policy and accompanying standards, procedures and guidance
- To develop and deliver a programme of planned compliance reviews and ensure any gaps are addressed
- To promote security awareness by developing and implementing a security awareness and training programme
- To investigate suspected and actual security incidents in accordance with the security incident management standard, produce reports with recommendations and ensure any remedial action is taken
- Respond to enquiries from staff and provide security advice as required
- Work with internal stakeholders to develop relationships to help promote and improve information security and provide security advice on procurements, projects and new initiatives as required
KPI’s (Key Performance Indicators) of the job:
- Improve overall security in the IT Infrastructure.
- No Non-Conformance from CO Audit or ISO27001 external Audit.
- Overall improvement in Cyber Security Infrastructure for Application hosted & developed by us.
- No security incident in the year.
Efficient implementation of Cyber Security Plan to improve the tier in NIST framework
Pay: ₹35,000.00 - ₹45,000.00 per month
Benefits:
Work Location: In person