Information Security Compliance Manager

Majid Al Futtaim invites you to join us in our quest to create great moments for everyone, everyday! We are the leading shopping mall, residential communities, retail and leisure pioneer across the Middle East, Africa and Asia, serving over 560 million visitors a year. For the past two decades, we have shaped the consumer landscape across the region, transforming the way people shop, live and play, while maintaining a strong sustainability track record and the largest mall in the world to attain LEED Gold EBOM Certification. We have over 45,000 team members in 17 international markets representing over 100 nationalities – all keeping the customer at the heart of everything we do. If you enjoy being BOLD, PASSIONATE and TOGETHER, then Majid Al Futtaim is the destination for you.

ROLE-SUMMARY
The Information Security Compliance Manger is responsible for leading the efforts in managing and mitigating information security risks and ensuring compliance with internal control framework, relevant industry regulations and standards. The ideal candidate will have a strong technical background in compliance management and Identity and Access Management, along with exceptional communication.

ROLE PROFILE

Identity and Access Management

• Develop and maintain identity and access management (IAM) procedures and policies in alignment with Group’s IAM strategy.
• Design and configure user access controls, including role-based access control (RBAC), permissions, and privileged across various platforms and applications.
• Monitor IAM systems for security incidents, anomalies, and unauthorized access attempts, and take appropriate action to mitigate risks.
• Conduct regular audits and assessments of IAM processes and controls to identify areas for improvement, and implementation of IAM best practices.
• Act as technical SME / architect for design and implementation of IAM and PAM solutions, collaborate with IT and business stakeholders to define requirements and onboard new applications on IAM platforms.
• Document access review calendar covering all the business applications and technology platforms. Coordinate with business and application owners to conduct periodic access reviews, prepare access review reports, and ensure timely remediation.
• Document IAM configurations, workflows, and procedures, and contribute to the development of training materials and knowledge base articles for end-users and tech support teams.

Security Audits and Posture Assessments

• Manage and coordinate audit engagements, work closely with auditors, including external audit firms and internal audit teams to ensure smooth audit processes and compliance with security requirements and industry standards.
• Track and manage audit observations and findings to ensure timely resolution and closure, including the development and implementation of corrective action plans.
• Manage security testing and posture assessment engagements, assess security control effectiveness, and manage the remediation activities by closely working with business and technical teams.

• Define the approach, guidelines and use cases for static and dynamic application security testing. Continuously improve security testing methods, tools and approaches.
• Conduct / manage security penetration testing during new projects, major feature enhancement or change as per defined security testing guidelines.

Risk & Compliance Management

• Serve as a single point of contact for security risks identified by IT Governance teams, risk and internal control functions of different business units.
• Maintain Information Security risk tracker to capture and prioritize all identified risks, including further assessing the potential impact and likelihood of each risk and assigning appropriate risk owners.
• Track mitigation actions and remediation plans for identified risks, working closely with action owners to ensure timely completion and effectiveness of mitigation measures.
• Conduct technical risk assessment and analysis as needed to identify actual risk rating, define/ agree risk treatment plan with action owners and ensure timely closure of mitigation activities.
• Develop, implement and maintain security controls and processes in accordance with the internal control framework, industry standards and organizational policies.
• Define Key Risk Indicators (KRIs) for security controls and establish mechanisms for monitoring and reporting on these indicators.
• Analyze security-related data and metrics to identify emerging risks and trends and make recommendations for mitigating actions.
• Participate in security incident investigations, root cause analysis, and the development of remediation plans to prevent recurrence.

Vendor Management

• Collaborate with managed service providers to oversee risk and audit management services and remediation support and ensure service level agreements (SLAs) are met.
• Monitor vendor performance, define security reporting metrics and address any issues or concerns promptly.
• Key Operational metrics met, for example SLA compliance, effective risk mitigation and compliance, operational excellence
• Key Delivery metrics, for example, security control coverage, a, delivering new functionality and services, automation and process optimization
• Key Organizational metrics - staff performance and productivity, service provider management
• Cost Management Metrics - cost of delivering IT services, resource costs, and budget control
• Customer Satisfaction metrics

Functional/Technical Competencies

• Strong understanding of IAM principles, concepts, and technologies, including identity governance, authentication methods, and access control mechanisms.
• Proficiency in IAM and PAM platforms and tools such as Active Directory, Azure Active Directory, CyberArk, SailPoint, or similar solutions.
• Excellent Knowledge of IT security solutions and platforms (e.g. CASB, Data Leakage Prevention, Web Application Firewall, Multi Factor Authentication, Database Activity Management, Vulnerability Management, Application Security Testing tools etc.)
• Solid understanding of firewalls, intrusion detection and prevention systems, active network security, end point security; identity and access management, encryption, web content filtering, e-mail protection, network access protection, SIEM and hardening policies & procedures etc.
• Experience with industry standards, guidelines, and regulatory compliance requirements related to information security and cloud computing such as GDPR, ISO 27001, Cloud Security Alliance, NIST, PCI DSS, etc.
• Strong understanding of security risk management frameworks, tools and techniques, and experience of managing security risks throughout the risk lifecycle.
• Strong knowledge and experience of implementing security automation tools and techniques in a hybrid, multi-cloud environment.
• Solid understanding of security threat management frameworks and attack/defense techniques including MITRE Att&ck, and OWASP.
• Strong analytical skills to analyze requirements and translate them into appropriate security controls.
• Experience of working with managed service providers and ensuring SLA compliance.
• Ability to work under pressure and respond effectively to high-priority incidents on a 24x7 basis.

Personal Characteristics and Required Background:

Skillset (job-specific skills)

• Excellent inter-personal, communication and documentation skills.
• Good understanding of information management practices, system development life cycle management, IT services management, agile and lean methodologies, infrastructure and operations, and EA and ITIL frameworks.
• Proven analytical and problem-solving abilities.
• Ability to effectively prioritize and execute tasks in a high-pressure environment.
• Excellent written, verbal, communication and presentation skills with the ability to articulate new ideas and concepts to technical and nontechnical audiences.
• Ability to conduct research on new features / products and troubleshoot technical issues.
• Team player and skilled in working within a collaborative environment.
• Demonstrably self-motivated, pro-active, action orientated to achieve deadlines.