Information Security Analyst II

Job Description

Founded in September 2020, Asia Digital Engineering (ADE) is a wholly-owned subsidiary of Capital A Berhad based in KLIA2, Kuala Lumpur, Malaysia. ADE leverages the AirAsia Group Engineering Department’s best practices and unsurpassed combined experience in the region. ADE offers a range of aircraft services focused on the Airbus A320, A321 & A330 for line maintenance services, component and warehouse services, and engineering support services.

At ADE, we are dedicated to ensuring world-class security and performance across all our products and services. The Cyber Security Analyst is a key part of this mission, supporting the Information Security department with a hybrid role of Governance (GRC) and Technical Operations Monitoring. This detail-oriented and proactive role is critical in maintaining a robust security posture, with the primary objective being strict compliance with EASA Part-IS regulations, leveraging standards like ISO/IEC 27001 and the NIST Cybersecurity Framework. You will work closely with business stakeholders, technical teams (SRE/IT), and external partners, acting as the essential bridge between regulatory requirements and technical execution.

• Execution & Monitoring: Lead the daily implementation and continuous monitoring of EASA Information Security (IS) requirements. Translate high-level regulatory mandates into actionable security tasks and ensure strict adherence across the organization.
• Framework Integration (ISO 27001 & NIST): Utilize ISO/IEC 27001 standards to structure the Information Security Management System (ISMS) and apply the NIST Cybersecurity Framework to design robust operational controls. Ensure these frameworks are harmonized to satisfy specific EASA compliance obligations.
• Risk Management & Gap Analysis: Maintain the Information Security Risk Register by performing regular compliance gap analyses. Assess risks against both EASA regulations and NIST best practices, focusing on vulnerabilities that could impact regulatory certification.
• Policy Development & Governance: Develop and update security policies, standards, and procedures. Ensure all governance documentation aligns with ISO/IEC 27001 rigor while specifically addressing the aviation security nuances required by EASA Part-IS.
• Audit Assurance & Remediation: Act as the primary point of contact for compliance evidence during internal and external EASA audits. Manage the collection of evidence and lead the timely remediation of any non-conformities or observations.

Secondary Objective: Coordinate and monitor the execution of technical security tasks—including those performed by vendors and third parties. This encompasses deep-dive log analysis, vulnerability lifecycle management, and offensive security support, with the goal of ensuring the resilience of both IT and critical Operational Technology (OT) environments.

• Security Monitoring and Analysis: You will help manage the security monitoring system (SIEM) by checking logs and alerts (from tools like IDS) to find unusual activity and security issues related to EASA regulations.
• Vulnerability and Patch Management: You will manage the process for finding and fixing security weaknesses in aviation systems. This includes working with the SRE/DevOps teams to build security scanning and patching into our deployment process, and ensuring we fix the most critical issues first to protect flight safety and airworthiness across both standard IT and Operational Technology (OT) environments.
• Security Testing (VAPT): You will help organize and perform security tests (VAPT) to check if our firewalls, encryption, and other technical controls are working correctly and meet both internal security standards and EASA Part-IS rules.
• Incident Support: During a security incident, you will provide hands-on technical help. This includes gathering digital evidence, checking initial log data, and writing reports to figure out the root cause and meet regulatory reporting requirements.

Other Objective: Oversee the end-to-end security lifecycle of the organization’s supply chain, working in tandem with the internal contract and vendor management team. You will serve as the strategic liaison between internal stakeholders, legal counsel, and external partners to ensure all third-party contracts and operations maintain rigorous compliance with EASA Part-IS mandate.

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• Minimum of 2–4 years of experience in a Cyber Security, Information Security GRC, or IT Audit role, demonstrating a blend of technical operations and governance documentation.
• Essential: Demonstrated knowledge and practical experience with any regulatory frameworks, and how to apply airworthiness and safety standards to IT security controls.
• Strong working knowledge of ISO/IEC 27001 (for ISMS management) and familiarity with NIST Cybersecurity Framework (CSF) for operational risk and control mapping.
• Experience with Security Operations, including Vulnerability Management and log analysis.
• Experience reviewing vendor contracts and conducting security due diligence/risk assessments (Third-Party Risk).
• Familiarity with DevOps/SRE cultures and integrating security into CI/CD pipelines is a strong plus.
• Proven ability to translate complex regulatory texts into practical instructions for technical teams (Regulatory Translation).
• Strong problem-solving skills to conduct gap analyses and root cause analysis for security incidents (Analytical Thinking).