Title: Senior Manager for IT Internal Controls & Governance
The Senior Manager for Information Technology & Security Controls & Governance is responsible for the overall governance, execution, implementation, validation, assessments, testing and monitoring of the Jollibee Group’s Technology and Information Security Framework Governance, Controls and Policies. The role also requires the ownership of Risk and Controls-related Assessments over Enterprise and Functional initiatives, technical improvement and maintenance of internal control decks, documentation and business continuity planning of Internal Control processes and procedures. The role will heavily provide consulting and guidance over Security requirements and will be the controls governance and improvement expert over technical & security projects / initiatives and driver of the Global Information Security Policy. The role will have heavy interaction with Business Technology and Digital Technology across multiple regions. The role will also be in close partnership with the Compliance Officer for Privacy Data Privacy Governance (COP DPG), supporting the DPO in his Global obligations across all regions, ensuring security and privacy standards are established and complied with.
Key Responsibilities:
Global Information Security & Incident Management Council & Information Security Risk Assessment Lead
• IT CONTROLS GENERAL ASSESSMENT FRAMEWORK – establish and follow-through a general IT Controls, InfoSec & Cyber Security framework for use in business strategies such as but not limited to Mergers & Acquisitions, and other Business Transformation projects establishing the minimum IT Controls, Information Security, and Cyber Security requirements. Framework will be anchored to and an input to the Jollibee Group GRC Capabilities and shall be used as baseline reference for various security and IT controls maturity and capability assessments for new businesses or business transformations.
• CURATE & LEAD STRATEGIC SECURITY & CYBER ASSESSMENTS – Design, Curate, Lead, Conduct, Measure and Follow through global and regional Information Security, Controls, and Risks & Maturity Assessments, orchestrate the Action Plans and glidepath strategies creating visibility, synergy, optimization, and effectiveness of solutions across Regions and Technology Areas especially related to Security & Cyber Maturity.
o Design and Lead enterprise IT Controls & Security assessment initiatives; development, implementation and maintenance of the Jollibee Group’s IT Internal Control, and Information Security Framework and Policies to ensure consistency, efficiency, effectiveness, and productivity across Region, Business Units, and Functions including due diligence assessments for Mergers & Acquisitions or similar businesses.
o Lead and drive function-based, and risk-based Information Security assessments or sweeps / audits to determine adequacy of IT Controls and design.
• GOVERNANCE: GLOBAL COUNCIL – Help orchestrate the Global Information Security Council – help facilitate the Global Information Security Council Charter objectives, composed of representatives from Business Technology and Digital Technology across the regions, orchestrating Council objectives, targets, responsibilities, and accountability on a periodic basis.
• CROSS-REGIONAL STRATEGIC INITIATIVES – Help facilitate cross-regional standardization and capability rationalization holding Regional and BT / DT heads accountable for addressing identified focused risk areas from various assessment exercises.
• INCIDENT MANAGEMENT & MONITORING – Incident Management orchestration and Task Action Monitoring – ensure that all Incidents and Ad-Hoc tasks are properly documented, monitored, debriefed, and followed-through for reporting or compliance purposes. Ensure that a sustainable Monitoring platform is established to ensure sustainability of Incident Management Framework together with the COP DPG especially those which are related to Privacy.
Global Information Security Policy (GISP) Owner – Governance, Compliance, Advisory
• GLOBAL POLICY OWNER – of Jollibee Group’s Global Information Security Policy (GISP) and the respective Information Security Standards that includes periodic industry and regulatory appraisal of contents and provisions, periodic review and updates based of growing business and risk trends, and all relevant content management upkeep. Interprets & articulates specific sections that need to be operationalized ensuring that interpretation of GISP and its standards are consistent, updated & aligned including to that of international standards.
• POLICY COMPLIANCE DRIVER – Drive governance of Policies, Guidelines, and Compliance requirements alignments and warrant cascade of principles from such standards to function-based and operations-specific area Policies and Procedures, ensuring that operational and organizational implementation glidepaths are consistent to the intended Jollibee Group Standards and Strategies.
• COMPLIANCE DESIGN – Design and Implement Compliance Sweep methodologies to ensure that Security Initiatives are pro-actively checked & tested for effectiveness and / completeness, in partnership with Internal Audit.
• EXECUTIVE PRESENTATIONS – Prepare and conduct Executive Presentations to discuss Risk posture, recommendations, glidepath, remediation plans, and follow-throughs on the implementation of controls / security strategies, systems changes and project management controls globally.
• ADVISORY & CONSULTING – Go-to General Advisor and Consultant for Global Information Security and Level 1 escalation for Information and Cyber Security incidents.
Technology Governance Partnering – Controls & Security Functional Policy Review & Continuous Improvement
• PERIODIC STANDARDS APPRAISAL & REVIEW – Periodic review of policies and guidelines related to IT controls and security processes in coordination with Business Technology, Digital Technology, and Internal Audit ensuring that functional policies, the GISP, and all related standards are constantly updated and actively aligned with global and industry standards such as but not limited to ISO, NIST, and / or COSO.
• INFORMATION & CYBER SECURITY OPERATION POLICIES REVIEWER – acts as the first level reviewer of operational guidelines and policies from Business and Digital Technology, that which supports and operationalizes security and controls at enterprise, function / department, global, and regional level ensuring an independent governance eye has insights and that such operational guidelines and policies align with GISP and the Standards.
• BUSINESS PARTNERING – Continuously explore areas of security or control risks, that needs policies and guidelines and proactively coordinate with Business Technology, Digital Technology, and / or relevant Business Functions e.g., Restaurant Systems, HR, JWS, Facilities Management, etc.
• CHANGE MANAGEMENT & CONTINUOUS OPTIMIZATION – Drive and / or propose process or continuous improvement for Security Risk areas by initiating dialogues, discovery sessions, solutioning discussions, and requirements-setting down to (if needed) Project Management.
Enterprise Education, Trainings, Information Drives, Campaigns, Project Management, & People Management
• COMPLIANCE CULTURE BUILDING – Own and Spearhead information security programs & initiatives to promote / advocate for the Global Information Security Policy through compliance to the Computer-Based Training (GISP CBT), and the corresponding subsequent Annual Renewal requirements.
o Monitor Compliance to the Mandatory GISP e-Learnings across all Regions and Brands.
o Spearhead the Annual Information Security and Data Privacy Month together the COP DPG.
o Create and Conduct Webinar Trainings / Courses – Enterprise-wide and / or Function-Based Information Security Training.
o Organize Periodic Information Security and Cyber Maturity Trainings for Executives in partnership with the COP DPG.
o Curate and Release Infomercial Campaigns on a regular periodic basis, in cooperation with Business and Digital Technology.
• GOVERNANCE CHAMPION – Support and champion Roll-out of Information Security and IT Control Policies and Guidelines conducted by Business Technology /and Digital Technology.
• PROJECT MANAGEMENT – part of the enablement of continuous improvement, process optimization and / or scale implementations of security initiatives across functions and regions will be opportunities to conduct Project Management as a leader, facilitator, or critical member.
• PEOPLE MANAGEMENT – guide, strategize, train, direct, subordinates (direct report – both organic or consulting) and help drive objectives and targets of the IT IC tower, ensure talent growth and development plans are in place, and be an instrument to drive not only the compliance culture but also the spirit of family and fun in and among the GIC Team.
Job Qualifications:
• College Graduate with any Business Management, Accounting, Finance, with IT Proficiency and / or any IT-Related Courses.
• Must at least have 7 to 12 years of Information Security Operations, Information Security Audit / Advisory, or Information Security Governance from the following background:
Preferred:
o FMCG / Food and Beverage Industry
o Bank or Financial Institution Industry
o Cybersecurity / IT risk assurance / consulting expertise
o Basic Coding and Dev Ops background (Can read and interpret Codes esp. of Risk-Related)
o IT Audit / Governance preferred
• Master’s degree or related certifications in IT or Information Security Controls (CIA, CISA, CICA, CIPP, etc and related IT Certifications), project management (PMP, MPM, Lean Six Sigma) and ITIL Certifications are a plus.
• Must be willing to work in Ortigas, Pasig (Hybrid Work Setup)
Jollibee Foods Corporation is the hiring entity for this requisition.