Responsibilities:
Information Security Governance
- Design, implement, and maintain the Information Security Management System (ISMS) aligned with ISO/IEC 27001.
- Define and maintain security policies, standards, procedures, and guidelines.
- Support ISO 27001 certification, surveillance audits, and recertification cycles.
- Perform Statement of Applicability (SoA) creation, control mapping, and gap analysis.
- Drive risk treatment plans and track remediation activities.
AI Governance & Emerging Technology Compliance
- Implement and operationalize AI governance frameworks aligned with ISO/IEC 42001, NIST AI Risk Management Framework, and Responsible AI principles (fairness, transparency, explainability, accountability).
- Support creation of Model Cards, AI Risk Assessments, Data Lineage, and Human-in-the-Loop controls.
- Coordinate with engineering teams on AI lifecycle governance (design, development, deployment, monitoring).
- Track regulatory readiness for EU AI Act and sector-specific AI regulations.
Risk Management & Cyber Risk Assessment
- Conduct enterprise, product, and project-level risk assessments.
- Perform threat modeling, risk scoring, and control effectiveness evaluations.
- Maintain risk registers, heatmaps, and executive dashboards.
- Support Third-Party Risk Management (TPRM) and vendor cybersecurity assessments.
- Lead business impact analysis (BIA) and support BCP/DR planning.
Data Privacy & Regulatory Compliance
- Implement and manage compliance with global data protection laws, including GDPR, India DPDP Act, HIPAA, and sector-specific privacy regulations.
- Support DPIAs, RoPA, consent management, DSAR handling, and breach response processes.
- Collaborate with Legal, DPOs, and Product teams to embed privacy-by-design.
- Conduct privacy risk assessments for new systems and data flows.
Cybersecurity Frameworks & Standards Alignment
- Map organizational controls to NIST CSF, NIST SP 800-53, CIS Controls, ISO 22301, SOC 2, and other relevant standards.
- Translate framework requirements into practical controls for engineering teams.
- Support customer and regulator questionnaires, audits, and due-diligence requests.
Audit, Assurance & Compliance Reporting
- Act as primary contact for internal and external audits, and regulator interactions.
- Prepare audit evidence, compliance reports, and executive summaries.
- Track audit findings, non-conformities, and corrective and preventive actions (CAPA).
- Support customer compliance reviews and security assurance programs.
Stakeholder Management & Enablement
- Collaborate with Engineering & DevOps teams, Legal & Privacy, Product Management, Procurement, and Senior Leadership/Board committees.
- Conduct security awareness and compliance training for internal teams.
- Translate complex regulatory requirements into developer-friendly guidance.
