SENIOR INFORMATION SECURITY RISK ANALYST (Governance, Risk & Compliance)

Department INFORMATION SECURITY INFORMATION & COMMUNICATION TECHNOLOGY Primary purpose of job The Senior Information Security Risk Analyst is tasked with enhancing the information security posture of QatarEnergy in both IT and OT environments by assessing and managing cyber and information security risks. He/She actively participates in projects during all phases of implementation and operation, provides expert technical and procedural direction to identify and manage cyber and information security risks, and monitors progress of activities to manage and report identified risks. Experience & Skills • Knowledge of fundamental security principles and challenges in their practical application • 10+ years of relevant professional experience • Experience with large ICS & ICT environments in the Energy sector, preferably in Oil & Gas • Knowledge of information security capabilities and requirements analysis • Perform periodic risk management activities in IT and OT during the phases of project lifecycle, communicate risks and mitigation actions to stakeholders, and support the business in defining cyber and information security requirements • Identify critical information systems and supporting systems for business processes and projects • Evaluate effectiveness of existing information security controls • Propose cost effective information security controls for the remediation of risk • Manage information security risk register, including the development of risks acceptance reports, and communicate risks to the business as required • Maintain security controls framework in compliance with state law, international standards and best practices • Define and evaluate metrics for reporting information security control effectiveness • Communicate the urgency and severity of complex risk scenarios in simple, effective language • Excellent written and verbal business communication skills Education • Bachelor degree in information security, computer science, or systems engineering. • Professional certifications related to Information security (e.g., ISO27001, ISO27005, CISSP, GICSP, CISA, GIAC, CEH, etc.)