Job Posting Description 

Overview 

The Information Security Manager role sits in the first line of defense, is responsible for business units’ information risk management (IRM) services, in alignment with the mandates and objectives of Asia segment, as well as Globally. The individual will collaborate and liaise with Country Information Services, Business Units, Global CoE teams and Asia segment stakeholders, participates in countries’ governance structure to support the implementation of IRM strategy; and execute the practices and controls, as well as promote risk and security awareness for the successful implementation of the IRM strategy.  The role reports to Head of IT Services. 

Key Result Areas: 

• Execute Information Risk Management/Information Security policies and standards and associated security controls especially in the Information Security Management ISM and Technology Risk Management TRM domains for the SEA region 

• Conduct Information Risk Assessments and Vendor Risk Assessments, participate in due diligence on vendor selection process, identify potential risk, and provide guidance on risk mitigation and acceptance process 

• Participate in IT projects and initiatives to bring proactive risk management focus into solutions,  assist in formulation IRM plan to ensure effective and consistent application of IRM policies and standards across all technology projects, systems and services, as well  as compliance to local Laws and Regulations 

• Assist on formulation of risk mitigation plans and solutions in order to ensure compliance with Manulife’s standards, strategies and local regulations. 

• Provide advisory and guidance on Information Risk, Technology Risk and Regulatory for information services and business 

• Support and participate in security projects from our Global and Regional partners 

• Assist in establishing information risk and security council, risk profiles and appetites, report on the business unit’s risk and performance,  posture and exposures, ensures up to date KPI/KRI metric, monitors and reports on current risk posture 

• Coordinate security activities, including but not limited to application security scanning and penetration test, vulnerability management,  logical access regular assessment, information risk awareness and readiness for the market 

• Review and understand technology risk regulatory requirements, provide advisory, ensure compliance with the requirements including framework, guidelines & policies for IRM and IT, maintain of local IT regulatory matrix 

• Conduct gap analysis for changes to Company policies, standards and new or updated Regulatory requirements, provide advisory and guidance on developing action plans to address the gaps 

• Liaison to internal, external auditors, and regulatory agencies on risk and compliance reviews and examinations, oversee audit issues, ensure issues are tracked and addressed in a timely manner 

• Incident management, establish communication and escalations, response & handling in the event of an information risk or security incident, advice and guidance for immediate corrective actions. Participate in investigations and reporting. Review, advise  and monitor preventive actions 

• Ensure controls are executed effectively, efficiently and consistently across SEA region, conduct quality control and tests on the controls, identify gaps, and devise and execute action plans to address any gaps found; to ensure deficiencies are remediated appropriately 

• Report control gaps and remediation status to stakeholders 

• Coordinate & collaborate from IT perspective for annual BCP activities such as call tree test, alternate site test, DR drill and live run test 

• Act as the main focal point between IT and business to ensure mandatory BCP testing are conducted and reported to meet regulatory requirements 

• Work with vendor and Manulife BCP Coordinator in the business unit during DR drill to ensure the drill is conducted as per Manulife BCP standard and business requirements. 

• Ensure lessons learned in DR drill report will not reoccur in future 

Core Competencies and Skills: 

• High integrity, adhering to principles, values and code of ethics 

• Strong stakeholder management skills; able to effectively articulate technical vision, possibilities, and outcomes through strong verbal and written communication; 

• Strong interpersonal skills, with ability to influence senior leaders and inspire and train more junior team members; 

• Deep understanding of risks and how they can impact the business; 

• Self-driven, able to meet objectives with a minimal amount of managerial oversight; 

• Can distil complex issues into simple reports, solutions, and designs; 

• Proficient in English, both verbal and written, proficiency in other Asian language is a plus. 

• Excellent communication skills in both technical and non-technical areas