Manager, Information Security

Job Description

This position will report directly to the Aviation CISO. The candidate will provide advice,
consultation, and awareness of the Group Information Security requirements to technical
teams and other employees, and ensure its implementation. This role will be responsible for
ensuring internal systems and processes are compliant with information security standards
(e.g, ISO 27001, PCI DSS, CIS, NIST CSF, etc); monitoring, managing, and closing information
security compliance issues. Other responsibilities include identification, evaluation, and
interpretation of standards, regulatory, statutory, and member security requirements, control
deficiencies, and information security risks. This position will be the primary point of contact
during information security incidents and responsible for managing the incident.

Duties and responsibilities

1. Advise CISO on local information and cybersecurity-related regulations and
   requirements, and then map or recommend changes to existing policies and
   frameworks.
2. Advise local CEO(s) and management on Information Security matters, which may,
   from time to time, include updates to the Boards of Directors of the various entities.
3. Monitor and report on compliance with security and data protection policies, as well
   as the enforcement of policies.
4. Work with in-country Data Protection Officer(s) of AirAsia Aviation on data protection
   requirements.
5. Maintain a record of up-to-date information security assets (e.g, equipment,
   documents, etc)
6. Participate and facilitate audits and assessment activities to ensure compliance with
   information security requirements.
7. Monitor and investigate local security events and incidents in collaboration with the
   Group Detection & Response team (Security Operations Center).
8. For locally arising security incidents, act as Incident Manager, in coordination with
   Group Incident Response & Management teams.
9. Identify, communicate, and manage current and emerging security threats with
   relevant stakeholders. To manage end-to-end information security incidents with the
   assistance of incident management teams.
10. Conduct or facilitate periodic and/or ad-hoc information security assessments and
    testing, as well as manage the findings.
11. Analyse management and technical controls to ensure specific security and
    compliance requirements are met through verification of documented processes,
    procedures, and standards in order to validate the maintenance of secure
    configurations.
12. Monitor and facilitate the entitlements review process to ensure compliance.
13. Monitor third-party risk assessments and assist in performing internal risk
    assessments.
14. Support development and reviews of security policies, processes, and procedures
    and support service-level agreements to ensure that security controls are managed
    and maintained.
15. Collaborate on IT projects to ensure that security policy/risk issues are addressed
    throughout the project life cycle.
16. Information Security Awareness - Participate in the development of information
    security awareness training in conjunction with other members of the GRC. Provide
    consultation, education, and awareness on information security requirements to
    various levels of management and Allstars.
17. Liaise with the Group Information Security Architecture team to ensure local
    requirements and activities are aligned with the strategies and objectives of group
    information security design.
18. Monitor local guest accounts, payments, and fraud risks and advise Group Business
    Security (SuperApp accounts and payments anti-fraud, Fraud Operations Team, and
    Continuous Monitoring Team) on local business security requirements and threats.

Requirements:

1. Bachelor's Degree in Information Technology, or Business with IT, Computer Science,
   or equivalent
2. Minimum 6 years experience in managing Information Security
   Operation/Governance, Risk Management, and Compliance, or related fields
3. Relevant industry certification is an advantage (ISO 27001, CISA, CISSP, CGEIT, etc)
4. Working knowledge in common IT/information security-related regulations or
   standards, especially ISO 27001 and PCI-DSS
5. Working knowledge of local information and cybersecurity-related regulations and
   requirements is a huge advantage
6. Ability to develop, review and maintain documentation in a timely manner
7. Strong communication (spoken and written), interpersonal, and conflict resolution
   skills. The ability to establish and maintain rapport with stakeholders is highly
   desired.
8. Strong analytical and critical thinking skills
9. Result-oriented, high level of attention to detail, self-starter and motivator, ability to
   multitask and adjust to shifting priorities.

We are all different - one talent to another - that is how we rely on our differences. At AirAsia, you will be treated fairly and given all chances to be your best. We are committed to creating a diverse work environment and are proud to be an equal opportunity employer.

Search Firm Representatives - AirAsia does not accept unsolicited assistance from search firms for employment opportunities. All CVs / resumes submitted by search firms to any employee at our company without a valid written search agreement in place will be deemed the sole property of our company. No fee will be paid in the event a candidate is hired by our company as a result of an agency referral where no pre-existing agreement is in place.