Manager, Information Security

Job Description

This position will report directly to the Aviation CISO. The candidate will provide advice,
consultation, and awareness of the Group Information Security requirements to technical
teams and other employees, and ensure its implementation. This role will be responsible for
ensuring internal systems and processes are compliant with information security standards
(e.g, ISO 27001, PCI DSS, CIS, NIST CSF, etc); monitoring, managing, and closing information
security compliance issues. Other responsibilities include identification, evaluation, and
interpretation of standards, regulatory, statutory, and member security requirements, control
deficiencies, and information security risks. This position will be the primary point of contact
during information security incidents and responsible for managing the incident.

Duties and responsibilities
● Advise CISO on local information and cybersecurity-related regulations and
requirements, and then map or recommend changes to existing policies and
frameworks.
● Advise local CEO(s) and management on Information Security matters, which may,
from time to time, include updates to the Boards of Directors of the various entities.
● Monitor and report on compliance with security and data protection policies, as well
as the enforcement of policies.
● Work with in-country Data Protection Officer(s) of AirAsia Aviation on data protection
requirements.
● Maintain a record of up-to-date information security assets (e.g, equipment,
documents, etc)
● Participate and facilitate audits and assessment activities to ensure compliance with
information security requirements.
● Monitor and investigate local security events and incidents in collaboration with the
Group Detection & Response team (Security Operations Center).
● For locally arising security incidents, act as Incident Manager, in coordination with
Group Incident Response & Management teams.
● Identify, communicate, and manage current and emerging security threats with
relevant stakeholders. To manage end-to-end information security incidents with the
assistance of incident management teams.
● Conduct or facilitate periodic and/or ad-hoc information security assessments and
testing, as well as manage the findings.
● Analyse management and technical controls to ensure specific security and
compliance requirements are met through verification of documented processes,
procedures, and standards in order to validate the maintenance of secure
configurations.
● Monitor and facilitate the entitlements review process to ensure compliance.
● Monitor third-party risk assessments and assist in performing internal risk
assessments.
● Support development and reviews of security policies, processes, and procedures
and support service-level agreements to ensure that security controls are managed
and maintained.

● Collaborate on IT projects to ensure that security policy/risk issues are addressed
throughout the project life cycle.
● Information Security Awareness - Participate in the development of information
security awareness training in conjunction with other members of the GRC. Provide
consultation, education, and awareness on information security requirements to
various levels of management and Allstars.
● Liaise with the Group Information Security Architecture team to ensure local
requirements and activities are aligned with the strategies and objectives of group
information security design.
● Monitor local guest accounts, payments, and fraud risks and advise Group Business
Security (SuperApp accounts and payments anti-fraud, Fraud Operations Team, and
Continuous Monitoring Team) on local business security requirements and threats.

Requirements:
● Bachelor's Degree in Information Technology, or Business with IT, Computer Science,
or equivalent
● Minimum 6 years experience in managing Information Security
Operation/Governance, Risk Management, and Compliance, or related fields
● Relevant industry certification is an advantage (ISO 27001, CISA, CISSP, CGEIT, etc)
● Working knowledge in common IT/information security-related regulations or
standards, especially ISO 27001 and PCI-DSS
● Working knowledge of local information and cybersecurity-related regulations and
requirements is a huge advantage
● Ability to develop, review and maintain documentation in a timely manner
● Strong communication (spoken and written), interpersonal, and conflict resolution
skills. The ability to establish and maintain rapport with stakeholders is highly
desired.
● Strong analytical and critical thinking skills
● Result-oriented, high level of attention to detail, self-starter and motivator, ability to
multitask and adjust to shifting priorities.