This is a permanent and residential position based in the NOC Head Office in Doha. A tax free salary and comprehensive benefits package with family status, educational assistance and other expat benefits is on offer for the right candidate.
Scope of Work This role will be situated in the Information Solutions (IS) Department and will report to the IS Manager.
The Head of Information Security is responsible for managing information security risks within North Oil Company, for both Enterprise and Industrial Control Systems.
Main accountabilities include : Team and budget management Governance of the Cybersecurity Program - Audit, Risk and Change Management Development of Information Security Policies and Standards supporting the Cybersecurity program Risk Management and remediation activities Information Security Monitoring and Incident Response including Security Operations Centre Business Continuity Cybersecurity Awareness Cybersecurity architecture Definition and execution of information security projects Stakeholder Management (internal and external) Job Dimensions : The role reporting directly to the IS Manager, has budget responsibility and manages a team of subordinates The role is accountable for establishing, maintaining and executing a risk-
based information security program for both Enterprise and Industrial Control System (ICS) Information Security environments within NOC.
Role is based on-shore, with a requirement for periodic offshore visits to facilities within the Al-Shaheen field. Activities : HSE Participate in, and comply with related HSE activities (onshore and offshore) Ensure Information security activities do not compromise health and safety intentionally Information Security Define and execute risk-
based Information Security strategy and program aligned to NOC business requirements Report on the status and maturity of the program and cybersecurity within NOC, using appropriate metrics Defines and executes the Information Security Risk Management framework.
Define and implement an incident response plan and establishes an Computer Incident Response Team (CIRT) to respond to computer security incidents and coordinate with the Emergency Management team Leads Cybersecurity Incident Response cases, in conjunction with Emergency Management processes Development of Disaster Recovery Plans aligned to business continuity requirements Provides subject matter expertise to executive management on a broad range of information security standards and best practices, such as ISO 27000, CobiT, ITIL and as well IEC 62443 and NIST SP800 for industrial cyber security.
Coordinates and participates in regular audits through internal and external resources to assess information & cyber security performance and compliance with applicable laws, regulations and policies.
Develops Information Security awareness through targeted change and training campaigns. Interface with relevant stakeholders (including shareholders and governmental bodies to ensure cyber security laws, regulations and decrees are understood, complied with and breaches are reported on.
All staff must be willing to participate in crisis response training and to assist during emergency response situations if required.
On rare occasions work may occur out of hours (including weekends and public holidays) Context & Environment : The Information Security environment is complex and covers both Enterprise IT and Industrial Control Systems (ICS).
Much of this role is focused on Enterprise IT systems, with some interaction with ICS. Role requires engagement with multiple stakeholders within NOC, vendors and external stakeholders including Government entities.
Profile required : 10+ years' experience in a similar role, in large enterprise environments (>
1000 users), with multiple geographic locations. Oil and Gas experience (or manufacturing industries) is preferred At least 5 years' experience in a leadership role with budget responsibility Graduate and / or Master's Degree qualifications in either Computer Science, Information Technology or a related discipline.
Professional certifications in Information Security and / or Information technology - CISSP and / or CISM at minimum is required Strong communication skills, including written, oral and presentation skills.
Must be fluent in English. Knowledge and experience in Enterprise IT security (and Industrial Control Systems) security technologies, services and processes : Information Security models and frameworks (ISF, ISO 27001) and best practices Architecture : Operating Systems (Windows, Linux), Network technologies and protocols Security Architectures and controls : including Antivirus, Antimalware, proxies, web filtering and firewalls Security Event monitoring tools and processes including Security Operations Centre.
Incident response processes and tools Patch and Vulnerability management processes and tools Risk Assessment, Change Management Processes Information Classification Disaster Recovery, Business Continuity Professional certification in Industrial Cybersecurity (e.
g. GICSP or similar) is desirable Knowledge of Industrial Cybersecurity standards (IEC 62443) is desirable Exposure to project management is desirable