Information Security and Governance Officer

We are a Romanian brand that evolved to an international group that produces and delivers energy products. With 6,000 employees and a wide range of jobs, Rompetrol has operations in Europe and Central Asia, from oil trading and refining to petrochemicals production, retail and marketing of petroleum products to providing services to other operators in the Energy industry.

- At least 5 years of experience in adjacent areas such as, Security Operations Center, Network Operations Center, System Administrator, Platform/Tool Support Engineer, IT Helpdesk support.
- Good understanding of the commonly used concepts, practices, and procedures within Information Security with a bonus for ICS / SCADA security knowledge.
- Good knowledge of local regulations related to information protection, IT and cyber security.
- Good understanding of application security, secure programming, vulnerability analysis, penetration testing, encryption technologies, intrusion detection and incident response management practices.
- Excellent understanding of concepts and practical enactment of Information Security Risk. Management (control frameworks, control lifecycle, implementation and measurement).
- Practical experience with deployment and/or operation of the following security solutions:
- Advanced Endpoint Security solutions
- Web and Email Security Gateways
- SIEM systems
- Data Loss Prevention (DLP) systems
- Secure Network Access and Identity Services solutions
- Strong experience in securing Directory Services such as AD, LDAP.
- Proven previous experience in managing Firewalls, VPNs, IDS or other commercial network security solution (Cisco, Fortinet, etc.) and excellent understanding of network technologies.
- Strong experience with network forensics and data preservation.
- Experience with patching and software deployment technologies.
- Previous experience in deployment, fine tuning and management of Windows server and/or Unix operating systems.
- Experience in performing Information Technology technical audits, security vulnerability assessments, system configuration verifications and security related assignments.
- Experienced in Application and Information Security Architecture.
- Excellent understanding of ISO:IEC 2700x (PCI DSS, NIST, SAS70 and/or others would be a plus).
- Experience of working in a mixed OS, Cloud, SaaS, Web, API and Mobile Application environments.
- Experience with conducting Threat and Risk assessments and Vulnerability Assessments of IT systems.
- Industry or vendors certifications from ISACA, ISC2, GIAC, EC-Council, Cisco, Juniper, CompTIA, ITIL, Microsoft, Oracle, etc. are considered a plus (ex. CISA, CISSP, CISM, ISO2700x, COBIT).
- Passionate about Information Security, inquisitive, energetic and eager to learn.
- Good communication, documentation and presentation, interpersonal and team-player skills.

- Assist in planning, management and execution of vulnerability and risk assessment projects.
- Analyze new and upcoming security solutions to protect company and customer data.
- Execution of Threat and Risk Assessments of enterprise IT systems and documenting recommendations on how to mitigate risks.
- Performing internal security audits against Government and ISO:IEC 2700x standards. Audits may be required to be performed at remote sites including abroad entities, on occasion.
- Researching and tracking information about current security threats and potential vulnerabilities. Initiate escalation procedure to counteract potential threats/vulnerabilities.
- Assist in managing IT incidents and resulting Security investigations. Acting as initial contact for IT Security related incidents. Ensuring the reporting, investigation and escalation of incidents is completed where appropriate.
- Assist the Group Security Lead in supporting Procurement function for new acquisitions / purchases and help to manage the relationships with suppliers / partners to assure levels of Security & Continuity capabilities are commensurate.
- Participate in DLP related incident investigations, determining the cause of the security incident and preserving evidence for potential legal action.
- Pro-actively identify vulnerabilities and weak security controls, conduct security audits and recommend improvements and corrective actions to the relevant teams.
- Ongoing development of Security Event Logging retention process at Group level.
- Assist in performing policy compliance reviews of enterprise IT systems and business application systems.
- Collecting, monitoring and analyzing Group IT security metrics to measure the effectiveness of ISO's IT security management processes and producing relevant reports.
- Documenting and updating elements of IT security governance (e.g. policies, procedures, standards)
- Serve as a point of contact for information security inquiries and audits.
- Ensuring that security issues identified during internal and other third party security reviews are communicated to technical teams and that appropriate and up to date action plans exist to clear issues.
- Performing Security awareness and training on both a group and individual basis.