Job description
The role holder will be an Assistant Manager (Grade D) in the Information Risk Assessment team, conducting Information Risk assessments by supporting how the firm identifies and analyses information security threats and risks to KPMG and client information in projects, initiatives, new systems, applications and IT resources, to advise on the controls necessary within agreed limits. The role holder will provide support for the day-to-day service, to support the Information Risk Assessments Team ensuring risks are identified and are entered into the Information Risk Assessment tool.

Key Activities include

• Conducting multiple Information Security Risk assessments of technologies and suppliers for internal projects and initiatives.
• Completing Information Risk Assessments in-line with KPMG UK's Risk Assessment methodology to completion which may include raising risks.
• Appropriate information security contractual clauses are used in any formal agreement with suppliers.
• Collaborating, liaising, conversing and working with internal project/initiative stakeholders and security testing teams to recognise appropriate risks with identified security findings.
• Working within agreed timescales and keeping Information Risk Assessments on track within agreed SLA's with business stakeholders.

Key Stakeholders

• Business and functional managers across the firm, including Project Managers, Project teams, BISOs (Business Information Security Officers), Procurement, and Supplier Managers (and 3 rd parties).
• Technology, Information Assurance, Security Operations and Data Privacy teams.
• Senior Managers, Directors, and Partners from across the UK firm, KPMG Global, and other KPMG member firms who act as Information/Application/Product Owners.

Key Responsibilities

Technical Information Risk Assessment

Within the Risk Assessment team:

• Be responsible for performing Information Security Risk Assessments upon projects, suppliers and hybrid projects (technology projects with a supplier), KPMG managed technology solutions, managing demand and prioritising assessment appropriately.
• Provide guidance towards completing risk assessments.
• Provide consulting advice to CTO's, Technology Engineering and Operations, business service owners and 3rd parties on how best to implement the firm's information security policies.
• Support the firm's mission to build client trust and confidence with regard to information security generally and information risk assessment specifically.
• Stay abreast of industry best practice in relation to information risk assessments
• Support the delivery of a high-quality and timely information risk assessment service to the firm.

• Promote good information security practices and standards across the firm.

Information Risk Management

• Proactively foster an environment that drives appropriate information risk control behaviour, including early anticipation, identification and mitigation of information risk, as well as escalation of issues in line with the Information Risk Management Framework.
• Support the ongoing development and maintenance of the firm's Information Risk Management Framework, including its supporting methodologies, processes and artefacts.

Co-ordination

• Ensure understanding of the Information Risk Assessment process and manage the process for specific assessments.
• Support the Information Risk Assessments team with other ad-hoc work as required.

Awareness and collaboration

• Establish strong relationships with business, functional teams and other relevant stakeholders.
• Build on and preserve the firm's reputation with third-party suppliers around information security.

Benefits expected

• Aspire to KPMG Values: Integrity, Excellence, Courage, Together and For Better
• Expand Information security knowledge and experience by using all learning resources available within KPMG.
• Develop and grow as an individual by leveraging personal strengths, working through areas of development and comfortable in receiving and giving constructive and objective feedback.

Knowledge, Experience and Skills

Technical knowledge and qualifications

• A minimum of 3 years' experience of technical information security risk assessments required.
• Good working knowledge of industry best practice around information security controls covering: cloud security, network security, application security, encryption, information security testing, vulnerability management, access governance, and SaaS assurance.
• Familiarity with information security standards (e.g. Cyber Essentials, ISO 27001, NIST Cybersecurity Framework, CIS Top 20 Controls).
• Understanding of personal data and privacy.
• Security certifications desirable.

Personal qualities and leadership skills

• Excellent English-language communication skills essential - both spoken and written.
• Diligent and focused, with the ability to prioritise multiple tasks and manage multiple risk assessments concurrently by themselves.
• Ability to deal with a broad range of stakeholders at all levels, both internal and external, in a confident and assured manner. Happy to engage, manage, chase and communicate with stakeholders.
• Good team player who is enthusiastic about engaging with the wider Information Risk Assessment team, and with the ability to act independently and exercise sound judgment.
• Assertive, by being able to articulate technical concerns with stakeholders.

Analytical skills

• Strong analytical and problem-solving skills, with excellent attention to detail.
• Proven ability to identify and articulate information security requirements, risks and issues, and formulate clear decisions and recommendations.
• Ability to understand business drivers and risk appetite, in order to make informed risk assessment decisions.

Other requirements

• Covering at least 75% of UK working hours.
• Willing and able to obtain BPSS clearance for the UK.