Technology Risk and Complaince Manager

The McMillan Shakespeare Group (MMS) is a trusted provider of salary packaging, novated leasing, disability plan management and support co-ordination, asset management and related financial products and services. From our origins in 1988 when we created Australia’s salary packaging industry to today, MMS has a proud history of innovation and exceptional service.

Through our subsidiaries, we offer a breadth of services and expertise designed to responsibly deliver superior long-term value to our clients and customers, which include Federal and State governments and some of the largest public and private sector, health and charitable organisations.

The Manager Technology Risk & Compliance role can be done from Adelaide, Brisbane, Melbourne or Sydney and is a paternity cover for 6 months full time that may extend to one year.

MMS has a number of compliance obligations imposed by the regulatory and contractual environment in which we operate. The manager technology risk and compliance is to lead the analysis monitoring and strict compliance to internal, audit and contractual policies and controls in relation to the delivery of governance over digital and traditional on-premise services. A key component of the role is education and awareness ensuring staff and 3rd parties are abreast of the requirements in order to meet this compliance.

The Manager Technology Risk & Compliance is responsible for direct control of security owned controls and compliance obligations in addition to stakeholder management and leading oversight governance of first line of defense teams and their roles in monitoring, analysing, executing security governance controls. The manager must develop a strong working relationship with IT functional teams and business stakeholders to ensure baseline security requirements are met and assets remain protected within these functional areas and escalated where non-compliance exists.

The Manager Technology Risk & Compliance is also responsible for keeping abreast of legislative, compliance and security industry changes as they relate to MMS business whilst developing, maintaining and reporting risk management frameworks that aim to protect the confidentiality,

availability and integrity of group assets including data.

The Role:

- Map existing contracts against security standards identifying potential gaps in compliance and for input into the information security policy and standards
- Manage and lead internal and external audits end to end being the technology authoritative source and focal point whilst ensuring relevant artefacts are sourced and provided in a timely manner
- Evaluate cyber-security standards including NIST, ASD Essential 8, ISO27000 and PCI DSS for alignment with internal frameworks
- Ensure internal security standards, policy, audit and contracted security requirements are communicated across the business and with 3rd Parties
- Ensure 3rd parties comply with all relevant due diligence obligations and provide regular attestations
- Manage the cyber-security education, training and awareness program and educate employees in security best practices
- Periodically conduct security reviews and workshops to report business effectiveness in meeting documented standards, controls and compliance to contractual or policy objectives
- Lead, steer and oversee the Information, Communication and Technology Risk management framework
- Conduct regular risk assessments and workshops to ensure risks to the organisation are assessed and understood, and are fed back to stakeholders to ensure the continued effectiveness of the risk management strategy
- Manage and improve the risk posture, contribute and evaluate solutions for remediating or mitigating risks and assess residual risks
- Work with all stakeholders to educate and identify controls and compliance requirements that are applicable
- Undertake contract and 3rd party security reviews providing guidance, checklists to support business risk decisions
- Generate security metrics and provide regular reports on security compliance performance to technology management and risk and audit committees
- Lead and prepare Crisis management testing and response exercises and relevant reporting
- Respond to information security incidents
- Lead, maintain and develop incident response processes and procedures when new threats to the organisation arise
- Be an active participant in incident management to support controlled and coordinated responses
- Develop security policy, standards and develop processes and procedures for evaluation and exemption where required.
- When necessary, prepare Post Incident Reviews
- Any other security risk and compliance initiatives, as requested.

You will bring:

- 5-10 years experience in IT Security and Risk Management
- Experience with legal and regulatory obligations such as the Australian Privacy Principles.
- Supply chain risk management and assesments including 3rd party security risk assessments
- Experience