Specialist I (Information Security)

- Participate in the development and maintenance of corporate-wide information security framework, policy, guideline, standard, and operation procedures with reference to ISO27001 standard and applicable best practices;
- Perform day-to-day security administration and operation including but not limited to management of end users and privileged accounts, keys and certificates, review of security logs, performance of technical vulnerability assessment and penetration testing as well as handling of security incidents, etc.;
- Assess and recommend information security control measures, as well as monitor the
implementation for major projects;
- Participate in the implementation of security solutions and infrastructure collaborating with internal teams and external service providers;
- Monitor and analyse security events for detection, investigation and response to potential security issue;
- Maintain and monitor appropriate computer and network access controls, data, and physical security to ensure no security exposure;
- Participate in cyber threat intelligence analysis when required

- Assist to define information security risk indicators; collect, analyse and interpret the
corresponding statistics for assisting senior management in overseeing information security risk;
- Identify control gaps, review the residual risk level and make recommendation for risk treatment;
- Interpret security key risk statistics for reporting to senior management on regular basis
- Promote security awareness and ensure compliance with applicable security standards
- Review and make recommendation on using of Open Source Software (OSS) and freeware

- Execute security operation procedures in accordance with the corporate information
security policy and guidelines when required
- Keep abreast of technological knowledge in managed area of responsibility, and provide recommendations for adaptation of new security technologies and standard with reference to prevailing industry best practices
- Perform other job duties as assigned by the supervisors

- University degree preferably in information technology, information security or related discipline
- Minimum 4 years of experience in information security or related field
- Knowledge in security practices and standards commonly adopted by the banking/financial industry such as the Cyber Resilience Assessment Framework (C-RAF), SWIFT Customer Security Controls Framework (CSCF), ISO27001 standard, etc. is an advantage;
- Team player with sound interpersonal, communication and presentation skills as well as excellent problem solving and analytical skills;
- Holder of security certificates - CRISC, CISA, CISM, CISSP or other equivalent
certificates is an advantage
- Experience and knowledge in the area of public and/or private cloud security is an
advantage
- Practical experience and knowledge in risk management framework and methodology is desirable
- Experience in working for major financial institutions is preferred but not a must
- Good command of written and spoken English and Chinese
- Willing to work shift duty (evening shift normally from 12:30 to 21:30 with shift duty
allowance)
- Candidate from non-financial industries will also be considered
- Candidate with less experience may be considered for appointment as Specialist II
(Information Security)