Information Security Officer
索尼(中国)有限公司
- 公司规模:1000-5000人
- 公司性质:外资(非欧美)
- 公司行业:多元化业务集团公司
职位信息
- 发布日期:2017-09-26
- 工作地点:上海-浦东新区
- 招聘人数:1人
- 学历要求:本科
- 语言要求:英语 熟练
- 职位类别:技术总监/经理
职位描述
职位描述:
CHN ISO Role Summary:
The Information Security Officer (ISO) is responsible for the Information Security Management System (ISMS), enterprise security strategy, security architecture, risk and vulnerability management, security incident response, policy governance, and execution of enterprise information security programs. Responsibilities also include articulating statuses, long term initiatives, proposed technologies, issues and other critical information to executive management so they can effectively integrate security and contingency into the overall business strategy and ensure Information Security is aligned to corporate strategy and vision.
The Information Security Officer effectively coordinates efforts across the company and pursues synergies with other Sony entities and business partners for process and cost efficiencies.
The position is directly responsible for the regional cost of Information Security within the global Sony Electronics Information Security group. This includes acquiring and justifying appropriate funding for Information Security and for long-range Information Security planning.
Information Security Management System (ISMS) & Risk Management
? Establish and maintain the Sony Group ISMS, consistent with the requirements of the Global Information Security Policies and Standards, within the Sony Group Companies assigned
? Ensure processes are implemented:
o to identify and manage Information Security risks, in accordance with Sony’s risk assessment methodology
o to monitor and measure the performance and effectiveness of the Sony Group ISMS, associated processes and Information Security controls
o to review periodically and drive continuous improvement of the Sony Group ISMS
? Establish an Information Security risk management framework to identify and manage Information Security risks within the Sony Group Companies assigned
? Ensure that an inventory of Information, Information Systems and Third Parties are established and maintained for the purpose of Information Security compliance and risk management
? Continuous risk assessments of external/internal threats are performed to ensure risk mitigation and security practices and controls remain appropriate
? ISMS documentation is established and maintained as per requirements
? Establish, implement, and maintain an ISMS audit program to assess and report compliance against the Sony Group Information Security Policies and the performance of the ISMS within the assigned Sony Group Companies
? Ensure corrective actions are defined, executed and monitored for effectiveness
Policies & Compliance
? Develop, implement effectively and maintain information security, policies, procedures, and standards across the region
? Adapt Global Policies and Standards to comply with regional/local legislation
? Support the business on achieving compliance with Information Security related regulations/certifications (like SOX, ISO27001)
? Support internal/external Audits
? Enforce, monitor, and report on compliance with internal policies, controls, and standards and provide recommendations for remediation of identified deficiencies
? Review/manage formal policy exception requests and track/report on Plans of Action on findings/deficiencies to closure
? Educate business unit leaders and service managers on compliance efforts
Relationship Management & Service Delivery
? Act as the Electronics Global Information Security (EGIS) representative in the Sony Group Companies assigned
? Develop and maintain effective relationships at all levels of the company in order to communicate Information Security plans and strategic direction and integrate effective security within business and change management processes
? Partner with business leadership and other key stakeholders, provide security expertise and support information risk based decisions in Business and IT-Projects based on predefined criteria (e.g. return on security investment, compliance, information risk reduction, and contractual requirements)
? Translate Information Security requirements and Information Risks into business language to enable profound business decisions on information security aspects
? Understand and act as the Voice of Customer towards EGIS, its Divisions and Service Delivery functions to proactively sense changes in business and technology strategies so that EGIS and Services can align with the need
? Support/Ensure InfoSec budget request, allocation, communication , approval, expenditure and control for Sony Group Companies assigned
? Responsible for pursuit, implementation and enforcement of global and regional Information Security objectives in the Sony Group Companies assigned
? Ensures that eGIS Services meet the regional business/stakeholder expectation for productivity, effectiveness, efficiency, quality and goal accomplishment:
o Business/technical needs are analysed and solutions adhering to both business goals and security objectives are recommended
o Information Security training and education (e.g. Security awareness, ongoing Phishing, SSDLC) is conducted within the assigned Sony Group Companies
o New security tools, (mitigating-) controls to secure enterprise environments are (proactively) designed, deployed and implemented
o Proper security testing services including vulnerability scanning, penetration testing, code review, etc. for all current and new environments and initiatives are available and performed
o Third party management including security assessments, contract security language addendums, and periodic auditing is performed
o Security Incident Management Services (including Standards & Processes) are designed, implemented and tested regularly
Reporting & Support
? Provide ongoing management reporting on Information Security programs and issues
? Support global information security metrics and reporting program(s)
? Ensure internal/external Information Security & Service KPI’s are defined, maintained and reported to all relevant stakeholders
? Support global and regional security- and business initiatives and projects
Requirements (Education, Skills & Abilities)
? Bachelors in Computer Science or equivalent
? 10+ years of relevant experience in managing Information Security
? Job experience must include a minimum of 6+ years with management responsibilities
? Understanding of large-scale network and application environments (including Internet-facing)
? Familiarity with the TCP/IP protocol suite; IPv6 experience a plus; major application protocols (HTTP, HTTPS, SMB, FTP/SFTP, SMTP, NTP, SNMP, VoIP protocols, etc.)
? Experience with key security tools such as Firewall Technologies, AntiVirus, File Integrity Monitoring, Intrusion Detection/Prevention, Data Loss Prevention, Web Application Firewalls, Web Proxies, Web Content Filtering; DDoS defense
? Understanding of authentication and encryption technologies
? Familiarity with regulatory frameworks such as PCI, SOX and associated audit processes
? Fluency in written and spoken English
? Good interpersonal skills and common-sense approach
Desired Skills
? CISSP, GIAC, CEH certification a plus
? Experience with Security Incident and Event Management
? Experience with system engineering, installation and administration of *NIX-based and Windows-based operating systems, system hardening and troubleshooting
? Ability to support Incident Response processes
? Experience with router and multilayer switch technologies and products
? Experience with vulnerability scanning tools/services (e.g. Nessus, Qualys, AppScan, WhiteHat)
? Exposure to big data technologies (elastic search, Hadoop, etc.)
Key Relationships
Internal (Business):
o Senior (Top) Management of the OpCo assigned
o Business/Division Leads within the OpCo/Business Unit assigned (e.g. Sales & Marketing, Services & Support, R&D, Production)
o Heads of related Support Functions (e.g. Finance, HR, Legal, IT, Facilities) / Global Heads in case of shared Services
o Business Risk Management Leads
o Key-Decision Makers/Influencers within the OpCo/Business Unit assigned
Internal (Security):
o Executive Information Security Officer (EISO) – Sony Electronics
o Chief Information Security Officer (CISO) - Sony
o Regional Information Security Officers
o Global Information Security Team & Information Security Officers of other Sony OpCo’s
o Division Heads within the Electronics Information Security Team (EGIS)
o Internal Service Providers, like:
o Sony India Software Centre
o eGIS Application Security Services
o eGIS Security Teams, like Risk Management, Incident Management, Vulnerability Management etc
External:
o Key-Global, regional, local Service Providers used by the Business, Global IT Teams and Security Teams
o Information Security fellow experts & Security Companies
举报
分享
CHN ISO Role Summary:
The Information Security Officer (ISO) is responsible for the Information Security Management System (ISMS), enterprise security strategy, security architecture, risk and vulnerability management, security incident response, policy governance, and execution of enterprise information security programs. Responsibilities also include articulating statuses, long term initiatives, proposed technologies, issues and other critical information to executive management so they can effectively integrate security and contingency into the overall business strategy and ensure Information Security is aligned to corporate strategy and vision.
The Information Security Officer effectively coordinates efforts across the company and pursues synergies with other Sony entities and business partners for process and cost efficiencies.
The position is directly responsible for the regional cost of Information Security within the global Sony Electronics Information Security group. This includes acquiring and justifying appropriate funding for Information Security and for long-range Information Security planning.
Information Security Management System (ISMS) & Risk Management
? Establish and maintain the Sony Group ISMS, consistent with the requirements of the Global Information Security Policies and Standards, within the Sony Group Companies assigned
? Ensure processes are implemented:
o to identify and manage Information Security risks, in accordance with Sony’s risk assessment methodology
o to monitor and measure the performance and effectiveness of the Sony Group ISMS, associated processes and Information Security controls
o to review periodically and drive continuous improvement of the Sony Group ISMS
? Establish an Information Security risk management framework to identify and manage Information Security risks within the Sony Group Companies assigned
? Ensure that an inventory of Information, Information Systems and Third Parties are established and maintained for the purpose of Information Security compliance and risk management
? Continuous risk assessments of external/internal threats are performed to ensure risk mitigation and security practices and controls remain appropriate
? ISMS documentation is established and maintained as per requirements
? Establish, implement, and maintain an ISMS audit program to assess and report compliance against the Sony Group Information Security Policies and the performance of the ISMS within the assigned Sony Group Companies
? Ensure corrective actions are defined, executed and monitored for effectiveness
Policies & Compliance
? Develop, implement effectively and maintain information security, policies, procedures, and standards across the region
? Adapt Global Policies and Standards to comply with regional/local legislation
? Support the business on achieving compliance with Information Security related regulations/certifications (like SOX, ISO27001)
? Support internal/external Audits
? Enforce, monitor, and report on compliance with internal policies, controls, and standards and provide recommendations for remediation of identified deficiencies
? Review/manage formal policy exception requests and track/report on Plans of Action on findings/deficiencies to closure
? Educate business unit leaders and service managers on compliance efforts
Relationship Management & Service Delivery
? Act as the Electronics Global Information Security (EGIS) representative in the Sony Group Companies assigned
? Develop and maintain effective relationships at all levels of the company in order to communicate Information Security plans and strategic direction and integrate effective security within business and change management processes
? Partner with business leadership and other key stakeholders, provide security expertise and support information risk based decisions in Business and IT-Projects based on predefined criteria (e.g. return on security investment, compliance, information risk reduction, and contractual requirements)
? Translate Information Security requirements and Information Risks into business language to enable profound business decisions on information security aspects
? Understand and act as the Voice of Customer towards EGIS, its Divisions and Service Delivery functions to proactively sense changes in business and technology strategies so that EGIS and Services can align with the need
? Support/Ensure InfoSec budget request, allocation, communication , approval, expenditure and control for Sony Group Companies assigned
? Responsible for pursuit, implementation and enforcement of global and regional Information Security objectives in the Sony Group Companies assigned
? Ensures that eGIS Services meet the regional business/stakeholder expectation for productivity, effectiveness, efficiency, quality and goal accomplishment:
o Business/technical needs are analysed and solutions adhering to both business goals and security objectives are recommended
o Information Security training and education (e.g. Security awareness, ongoing Phishing, SSDLC) is conducted within the assigned Sony Group Companies
o New security tools, (mitigating-) controls to secure enterprise environments are (proactively) designed, deployed and implemented
o Proper security testing services including vulnerability scanning, penetration testing, code review, etc. for all current and new environments and initiatives are available and performed
o Third party management including security assessments, contract security language addendums, and periodic auditing is performed
o Security Incident Management Services (including Standards & Processes) are designed, implemented and tested regularly
Reporting & Support
? Provide ongoing management reporting on Information Security programs and issues
? Support global information security metrics and reporting program(s)
? Ensure internal/external Information Security & Service KPI’s are defined, maintained and reported to all relevant stakeholders
? Support global and regional security- and business initiatives and projects
Requirements (Education, Skills & Abilities)
? Bachelors in Computer Science or equivalent
? 10+ years of relevant experience in managing Information Security
? Job experience must include a minimum of 6+ years with management responsibilities
? Understanding of large-scale network and application environments (including Internet-facing)
? Familiarity with the TCP/IP protocol suite; IPv6 experience a plus; major application protocols (HTTP, HTTPS, SMB, FTP/SFTP, SMTP, NTP, SNMP, VoIP protocols, etc.)
? Experience with key security tools such as Firewall Technologies, AntiVirus, File Integrity Monitoring, Intrusion Detection/Prevention, Data Loss Prevention, Web Application Firewalls, Web Proxies, Web Content Filtering; DDoS defense
? Understanding of authentication and encryption technologies
? Familiarity with regulatory frameworks such as PCI, SOX and associated audit processes
? Fluency in written and spoken English
? Good interpersonal skills and common-sense approach
Desired Skills
? CISSP, GIAC, CEH certification a plus
? Experience with Security Incident and Event Management
? Experience with system engineering, installation and administration of *NIX-based and Windows-based operating systems, system hardening and troubleshooting
? Ability to support Incident Response processes
? Experience with router and multilayer switch technologies and products
? Experience with vulnerability scanning tools/services (e.g. Nessus, Qualys, AppScan, WhiteHat)
? Exposure to big data technologies (elastic search, Hadoop, etc.)
Key Relationships
Internal (Business):
o Senior (Top) Management of the OpCo assigned
o Business/Division Leads within the OpCo/Business Unit assigned (e.g. Sales & Marketing, Services & Support, R&D, Production)
o Heads of related Support Functions (e.g. Finance, HR, Legal, IT, Facilities) / Global Heads in case of shared Services
o Business Risk Management Leads
o Key-Decision Makers/Influencers within the OpCo/Business Unit assigned
Internal (Security):
o Executive Information Security Officer (EISO) – Sony Electronics
o Chief Information Security Officer (CISO) - Sony
o Regional Information Security Officers
o Global Information Security Team & Information Security Officers of other Sony OpCo’s
o Division Heads within the Electronics Information Security Team (EGIS)
o Internal Service Providers, like:
o Sony India Software Centre
o eGIS Application Security Services
o eGIS Security Teams, like Risk Management, Incident Management, Vulnerability Management etc
External:
o Key-Global, regional, local Service Providers used by the Business, Global IT Teams and Security Teams
o Information Security fellow experts & Security Companies
职能类别: 技术总监/经理
公司介绍
索尼集团一直致力于通过多元化和不同观点去创造更好的企业价值,践行更佳的社会责任。我们努力维护一个远离歧视与骚扰的、安全、健康并能充分发挥个人潜力的工作环境。索尼尊重并培育包容性和人才多元化,提供平等工作机会,不因民族、国籍、宗教、残障、性别、年龄等因素而差别对待。
索尼公司是一家建立在坚实科技基础上的创意娱乐公司。索尼业务跨越游戏、网络服务、音乐、影视、电子、半导体及金融服务等领域,其企业宗旨是用创意和科技的力量感动世界。公司在截止到2020年3月31日结束的2019财年,合并销售额达760亿美元。
在公司发展的70多年时间里,作为一家具有高度责任感的全球化企业,索尼一直致力于以优秀的产品和服务,帮助人们实现享受更高品质娱乐生活的梦想。目前,索尼公司在全球140多个国家和地区建立了分/子公司和工厂;集团70%的销售来自于日本以外的其他市场;数以亿计的索尼用户遍布世界各地。
以“全球本土化”的运营策略为目标,索尼于1996年10月在北京设立了统一管理和协调在华业务活动的全资子公司——索尼(中国)有限公司,旨在从事中国国内电子信息行业的投资,产品市场推广,顾客售后服务联络,并针对索尼在中国的各所属企业进行宏观管理及广泛的业务支持。
近年来,索尼集团把高速发展的中国市场作为未来发展的重中之重。索尼(中国)有限公司将充分利用集团总部的资源优势,在中国强力打造适合本土发展需要的集商品计划、设计、研发、生产、销售和服务为一体的综合性运营平台,为中国的消费者带来更多具有高附加值的产品和服务。
“植根中国、长远发展”是索尼公司对中国的长久承诺和在华业务拓展的宗旨。在中国发展各项业务的同时,索尼还积极投身教育、文化、体育、艺术、环保等社会公益领域。几年来,索尼公司已经向中国的公益事业投入了数亿美元,赢得了中国教育界、科技界和文化界等社会各界的好评。秉承以技术贡献社会的发展理念,索尼将继续为成为优秀的企业公民而不懈努力,为促进中国社会和经济的发展做出自己长久的贡献。
索尼公司是一家建立在坚实科技基础上的创意娱乐公司。索尼业务跨越游戏、网络服务、音乐、影视、电子、半导体及金融服务等领域,其企业宗旨是用创意和科技的力量感动世界。公司在截止到2020年3月31日结束的2019财年,合并销售额达760亿美元。
在公司发展的70多年时间里,作为一家具有高度责任感的全球化企业,索尼一直致力于以优秀的产品和服务,帮助人们实现享受更高品质娱乐生活的梦想。目前,索尼公司在全球140多个国家和地区建立了分/子公司和工厂;集团70%的销售来自于日本以外的其他市场;数以亿计的索尼用户遍布世界各地。
以“全球本土化”的运营策略为目标,索尼于1996年10月在北京设立了统一管理和协调在华业务活动的全资子公司——索尼(中国)有限公司,旨在从事中国国内电子信息行业的投资,产品市场推广,顾客售后服务联络,并针对索尼在中国的各所属企业进行宏观管理及广泛的业务支持。
近年来,索尼集团把高速发展的中国市场作为未来发展的重中之重。索尼(中国)有限公司将充分利用集团总部的资源优势,在中国强力打造适合本土发展需要的集商品计划、设计、研发、生产、销售和服务为一体的综合性运营平台,为中国的消费者带来更多具有高附加值的产品和服务。
“植根中国、长远发展”是索尼公司对中国的长久承诺和在华业务拓展的宗旨。在中国发展各项业务的同时,索尼还积极投身教育、文化、体育、艺术、环保等社会公益领域。几年来,索尼公司已经向中国的公益事业投入了数亿美元,赢得了中国教育界、科技界和文化界等社会各界的好评。秉承以技术贡献社会的发展理念,索尼将继续为成为优秀的企业公民而不懈努力,为促进中国社会和经济的发展做出自己长久的贡献。
联系方式
- Email:Tes.Zhou@sony.com
- 公司地址:上海市黄浦区湖滨路222号1号楼8楼 (邮编:000000)