Cyber Compliance Analyst

The McMillan Shakespeare Group (MMS) is a trusted provider of salary packaging, novated leasing, disability plan management and support co-ordination, asset management and related financial products and services. From our origins in 1988 when we created Australia's salary packaging industry to today, MMS has a proud history of innovation and exceptional service.

Through our subsidiaries, we offer a breadth of services and expertise designed to responsibly deliver superior long-term value to our clients and customers, which include Federal and State governments and some of the largest public and private sector, health and charitable organisations.

At the heart of achieving this mission is our team. Driven by a passion for the work we do, we work together with our customers to make a real difference to people's lives.

MMSG has several compliance obligations imposed by the regulatory and contractual environment in which we operate. The Cyber Compliance Analyst is tasked with analysing and monitoring strict compliance of internal IT general and cyber controls, providing support in internal and external audits and contributing to improving risk posture of our digital and traditional on-premises services.

A key component of the role is monitoring compliance of IT security controls (ISO27001, ASD (Essential Eight), NIST), conducting risk assessments, managing security education and awareness programs, ensuring staff and 3rd parties are abreast of due diligence and compliance requirements, writing business communications about new security threats and working with IT functional teams and business stakeholders to ensure baseline security requirements are met and assets remain protected within these functional areas.

The Cyber Compliance Analyst is also responsible for developing, maintaining and reporting risk management frameworks that aim to protect the confidentiality, availability and integrity of group assets including data. The role also requires experience in IT General controls and/or IT Audits, preferably from a Big4 or consulting experience background.

**Key Responsibilities**:

- Map existing contracts against security standards identifying potential gaps in compliance and for input into the information security policy and standards
- Provide support and relevant guidance to external IT auditors and ensure relevant artefacts are timely provided
- Evaluate cyber-security standards including NIST, ASD (Essential Eight), ISO27001 and PCI DSS for alignment with internal frameworks
- Ensure internal security standards, policy, audit, and contracted security requirements are communicated across the business and with 3rd Parties
- Ensure 3rd parties comply with all relevant due diligence obligations and provide regular attestations
- Manage the cyber-security education, training and awareness program and educate employees in security best practices
- Periodically conduct security reviews and workshops to report business effectiveness in meeting documented standards, controls, and compliance to contractual or policy objectives
- Oversee the Information, Communication and Technology Risk management framework
- Conduct regular risk assessments and workshops to ensure risks to the organisation are assessed and understood, and are fed back to stakeholders to ensure the continued effectiveness of the risk management strategy
- Contribute to improve risk posture, contribute solutions for remediating or mitigating risks and assess residual risks
- Work with all stakeholders to educate and identify controls and compliance requirements that are applicable
- Respond to information security incidents, as requested
- Maintain and develop cyber incident response processes and procedures when new threats to the organisation arise
- Be an active participant in incident management to support controlled and coordinated responses
- Contribute to policy development
- When necessary, prepare Post Incident Reviews
- Any other security risk and compliance initiatives, as requested.

**You will bring**:

- Experience with IT General Controls and/or IT Audits is essential
- Experience with legal and regulatory obligations such as the Australian Privacy Principles.
- Experience with ISO27001 -a formal certification is a basic requirement

**Not essential but advantageous if you have experience in**:

- IT Security and Risk Management such as ISO 31000
- ASD Essential Eight = preferred but not compulsory
- NIST = nice to have but not essential
- PCI DSS = nice to have
- CRISC Certification - nice to have

**What we can offer you**:

- Our strong people-first culture
- Flexible/hybrid working to enhance your work/life balance
- Novated lease benefits and discounts
- 12 weeks Paid Parental leave and access to our Parents Portal
- Exempt Employee Share Plan
- Paid Income Protection Insurance under MMSG default Super plan
- Access to a broad range of learning and development programs
- Career break and volunteering leave
- Access to Emp