Risk and Control Advisor – Shell – Bengaluru, Karnataka

The purpose of the Security & Compliance (S&C) function is to ensure (as a first line of defence, with IRM providing the second line of defence and internal audit providing the third line of defence) that Shell is addressing Information Risks in an effective and efficient manner, commensurate with Shell risk appetite, and being seen as an industry leader among peers and key suppliers of security services.

The Information Risk posture of Shell includes a wide variety of potential business impacts, such as HSSE impacts, production loss, financial and maintenance operations loss, loss of Most Confidential bidding data.

The S&C function performs risk assessment, defines the selection of mandated IT Controls, and designing of these controls. The function organises communication campaigns to impact the behaviour of business and IT staff where it relates to Information Risks.

Position description

Purpose

The Security & Compliance (S&C) Competency Centre (CC) Analyst supports in the identification, prioritization and management of all Confidentiality, Integrity, Availability and Regulatory risks to the services delivered by Shell IT and suppliers. This is to ensure the risk to Shell is reduced to an acceptable level and managed effectively and is achieved by ensuring an appropriate risk and control framework is in place, identifying, assessing and developing remediation plans for all risks and by ensuring all new developments are appropriately assessed. This job requires extensive interaction with portfolio managers, project managers, (security) architects and service managers/Operations Landscape managers.

Accountabilities

The Security & Compliance (S&C) Competency Centre (CC) Analyst is responsible for the following:

Project Review and Technical Advice

• Review all new projects; new technical designs; for Information risks and advise on suitable controls and mitigations at early stages of the program.
• Lead for specific technology and advice on the Information security for their projects.
• Offer advice to Shell and suppliers to assist in resolving questions and issues around how to manage risk
• Provide Subject Matter Expertise for projects and business stakeholders, in combination with the Improvement Program.
• Work with the architecture community to review new technology and architecture innovations.

The Security & Compliance (S&C) Competency Centre (CC) Analyst is responsible for supporting the following:

Risk Management and Mitigation

• Assess and classify all potential business and infrastructure information risks.
• Execute, with suppliers, risk analyses on IT application/services.
• Develop and socialize our overall risk profile and action plans to mitigate risks
• Facilitate smooth conduct of Risk Assessment (including Legal & Regulatory) on Applications, Network& Systems
• Perform end to end Security Assessment on vendor offerings – New/Leveraging existing (SAAS / PAAS/IAAS) services including integration with Shell environment.
• Translate Technical, legal and Regulatory Compliance obligations into a cohesive collection of Security Controls and provides the respective stakeholders with the IRM requirements and its implementation methodologies.
• Actively participate in S&C team and community meetings, representing S&C and Business interests in other CC forums.
• Support during Internal /External Audit
• Ensure that S&C continues to focus on risks significant to the Business, with emphasis on innovation.

Controls Management and Optimization

• Ensure controls are both risk-driven and based on industry standards
• Review and approve the control design of supplier and Shell technical specifications against Shells control requirements, as agreed contractually, during PDF project.
• Support the development of new IRM policies, tooling, procedures where required.

Dimensions

• An Individual Contributor, part of global IT engineering team
• Face of S&C; Interfaces with Project Delivery staff/Business / Business IT teams
• Responsible for the management of risk involving the security, IT regulations, Shell IT policies and other IT controls for all services delivered by the Key business and Infrastructure Suppliers and all services.

Special Challenges

• A special challenge will be to stay on top of the many engagements while at the same time having a deep understanding of Information security.
• Communication and Stakeholder Management skills are essential for this role, being able to cut through complex IT issues and explaining those in easy Business language.

Experience and Qualifications required

• Relevant (>6 years) experience with Information security and risk management
• Good understanding of, and experience with Information Risk Management, IT Security and Compliance and Security Controls and Audit
• Advanced understanding of internal and external IT security standards, SOX, PCI, SOC2/1, ISO27001 standards and relevant legal compliance aspects.
• Robust understanding of, and solid experiences with the impact of Security on application development and operations as well as the IT Infrastructure.
• Ability to promote high performance teams, working with inclusiveness and cultural diversity, across organizational boundaries.
• Good understanding of cloud security requirements and third-party control assurance.
• Ability to interface with different groups (Third parties, Business and IT) internal and external to IT (security) and to network globally across Group businesses, as well as with external groups.
• Technical knowledge & relevant experience in security domains /technologies related to:

• Infrastructure/Network security
• Identity and Access Management
• Business Impact Assessment
• Application security
• Data Leakage Prevention
• End-Point Protection
• Web filtering technologies, Proxies and firewalls.
• Vulnerability Assessment / Penetration Testing
• Cloud security

• Knowledge of Data Security Standards: PCI DSS, Privacy Principles
• Driving Platform / Application security and compliance
• Ability to foresee and identify mitigation strategies for RisksCandidate must also:

• Display excellent communicating and influencing skills
• Display analytical and problem solving skills
• Be pro-active and self-motivated
• Display strong interpersonal and negotiating skills with all levels of staff.
• Display Ability and eagerness to quickly learn new technologies.

Qualifications

• A qualification in CISSP, CISA, CRISC or CISM

Experience

Must have previous experience in an (Information) Risk management and Control design role