Manager, Risk Management

To deliver Operational Technology (OT) cybersecurity and cyber resilience in SMRT, strong oversight of cybersecurity risk and compliance with both regulatory and in- house requirements is critical.

To achieve the above, the Manager, Risk Management is to ensure the organisation's adherence to cybersecurity regulations, policies and standards, oversee the conduct of cybersecurity risk management, including risk control measures, monitor follow-up measures until completion, and implement strategies to enhance the organisation's overall security posture. He/she will also provide support for cybersecurity training and competency to build a strong awareness, ownership and culture.

1.  Ensure the organisation's compliance with the security standards and guidelines stipulated in:

• CSA Cybersecurity Act
• CSA Cybersecurity Code of Practice for Critical Information Infrastructure (CCoP)
• Relevant CSA's Guide e.g., Guide to Conducting Cybersecurity Risk Assessment for Critical Information Infrastructure
• LTA Code of Practice for Cyber Security in MRT Systems (CP8), including Land Transport Cyber Security Incident Management Framework (CSIMF)
• CSA publications such as Security-by-Design Framework, etc.

2.  Oversee the conduct of cybersecurity risk management, including risk control measures, monitor follow-up actions to mitigate the identified risks until completion and provide regular updates to Management.

3.   Manage contracts and deliverables for regulatory CCoP and CP8 audits (2-yearly), Risk Assessment (annually), Vulnerability Assessment (2-yearly) for CII and other contracts as required, and support the conduct of these activities, where required. Note: CP8 includes important non-CII system.

4.    Manage processes such as waiver request submissions and reviews, and monitor follow-up actions arising from audits, Risk Assessment and Vulnerability Assessment.

5.    Support Policy & Governance team in developing and implementing policies, standards and/or guidelines for managing cybersecurity risks and protecting OT systems against cybersecurity threats.

6.    Gatekeep    submissions    of    Material    Change    Form    and    corresponding    CII Information Record (S10) Form within the specified timeline.

7.    Report on the status of OT Cybersecurity status for submission tor Authority and/or Management.

8.    Support for cybersecurity training and competency development programme to build up strong cybersecurity awareness, ownership and culture in SMRT.

9.    Support the conduct of Cybersecurity Management meetings.

10.    Provide guidance to the OT Cybersecurity Operations team in managing CII and Non-CII Asset Information & Security baselines, Identity Management, Authentication and Access Control Technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

11.    Collaborate with the SMRT Risk Management, Internal Audit and Legal Teams on risk and compliance matters.

12.    Where required, support the conduct of validation checks to ensure that security control measures are maintained.

13.    Where required, support the conduct of cybersecurity exercises such as Table-Top Exercise for CII.

•    Degree in Electrical & Electronics Engineering, Computer Science or equivalent.
•    At least 7 to 8 years of working experience in the engineering field.
•    Cybersecurity-related qualifications and/or certifications such as CISM, CISSP, CEH or CISA are preferred.

Technical skills include:
•    Good knowledge of cybersecurity regulations, principles, standards and processes.
•    Good knowledge of cybersecurity risk assessment and vulnerability assessment.
•    Strategising, Planning and Organising skills.
•    Knowledge of virtualisation with VMware is preferred.

Generic skills include:
•    Leadership
•    Initiative-taking and adaptable
•    Effective communication
•    Teamwork
•    Critical thinking and problem-solving skills
•    Ability to work under pressure