Responsibilities:

• Formulate and maintain up-to-date policies, standards and guidelines on cybersecurity covering both IT (Information Technology) and OT (Operational Technology) environment.
• Lead security risk reviews to assess (a) conformance to established policies, standards and guidelines, and (b) security risks exposure, and to recommend improvements. Provide advice and resolution on security requirements, security compliance, and lead the seeking of approval on non-compliance.
• Provide advice and consultancy on requirements of conformance to cybersecurity standards in design, development, and operation of IT/OT Systems. Continuously identify, assess, measure and monitor information technology and cyber risk by performing independent hands-on risk assessments for new projects and non-standard IT requests.
• Identify and co-ordinate the planning, development, and implementation of technical security controls, including patches for systems vulnerabilities, for technologies deployed by the Authority. Assess adequacy of security and risk mitigation controls, evaluate threats and vulnerabilities, assess the level of current and residual risk and communicate these risks to relevant stakeholders.
• Manage and investigate any security incidents or violations of the Authority’s information security and assist other groups of the Authority to handle the violations.
• Advise and collaborate with other teams in the IT Department, and other departments of the Authority, on cybersecurity, information security and personal data protection matters.
• Assist decision making and define cyber and information security requirements for deploying security technologies for IT and OT security. Contribute to various security projects with ability to develop funding paper and project proposal. Review and assess the security solution architecture and design.

Requirements:

• University degree holder in Computer Science, Information Technology, Engineering or other related disciplines.
• At least 5 years’ relevant experience on IT Security/ Information Security in which at least 2 years involving security incidents response or in the capacity of security analyst.
• Member of HKIE or equivalent professional bodies is an advantage.
• Professional certifications in relevant Security Incident Response, Cyber Security, Risk Management and/or Compliance disciplines (e.g. ITIL-SM, CISSP, CISM, CRISC, GIAC certifications, CEH/CNDA, CPTE, CPTC, etc.) are highly preferred.
• Hands-on experience with IT infrastructure security assessment including commercial and open source security testing / vulnerability analysis / network scanning tools, log review and analysis.
• Knowledge and experience in Industrial Control Systems, PLC, SCADA, DCS, IoT security and OT security frameworks/standards (e.g. ISA99/IEC 62443, IEE 1686, ISO27001, NIST SP800-53, CIS, etc.) is an advantage.
• Technical knowledge of security domain subjects significance to IT (e.g. System/Network, Virtualization, Internet, Mobile and Web technologies, etc.)
• Strong analytical skills and the ability to take on new responsibilities, lead and influence others as needed to deliver consistent results
• Good command of spoken and written English and Chinese. Knowledge of Putonghua is preferred.