IKEA Supply China (“ISCN”) is the wholesale business unit buying IKEA goods from Suppliers and selling to retailers in Asia Pacific region, comparable to IKEA Supply AG. As a unit equipped with finance, legal, risk, compensation & benefit, corporate communication specialists, ISCN also provides common/shared services to all Inter IKEA business units and sites in China.
Purpose of Function
The main objective of this function is to secure the compliance on Information Security and Data Privacy in Inter IKEA CN entities both from internal requirement and China Cyber Law requirement.
Through policies, guidelines and aligned ways of working contribute to consistency and proper management of security & privacy risks across IKEA value chain
Lead and develop capabilities and solutions to enable a cyber secure, compliant and trusted IKEA and thereby protect the IKEA brand
Contribute with knowledge and support to ensure that information and information systems are managed in a secure and compliant way across IKEA
Purpose of Job
Ensure compliance with China Cyber Security Law (CSL), Multi-level Protection Scheme (MLPS) and other related laws and regulations in China.
Identify new and modified China Cybersecurity data compliance requirements covering data protection to include personal information and important data protection (as defined by the government), and facilitate development of new solutions.
Contribute to update and maintain local information security and data privacy policies, standards and procedures to conform to internal best practice, local cyber security laws / regulations and group policy.
Update and maintain enforce cross-border data transfer related policies and procedures to meet internal and external requirements
Perform Information Security risk assessments for new local solutions based on Inter IKEA Range & Supply ISDP baseline, to evaluate the effectiveness of controls; develop follow-up action plans for identified gaps identified; provide the necessary follow-up to closure.
Perform Information Security risk assessments for existing and new global solutions regarding cross-border data transfer, evaluate the effectiveness of controls; develop follow-up action plans for identified gaps identified; provide the necessary follow-up to closure.
Perform Information Security risk assessments for high-risk vendor engagement and controls assessments for applications/ platforms.
Perform control risk assessments for environments, including cloud-based applications and public cloud infrastructure.
Provide associated analysis, reporting and metrics for assessments.
Work together with ISDP Leader on Multi-level Protection Scheme (MLPS) program for applicable local solutions, including self-assessment and remediation follow-ups, external testing agency communication and etc.
Work together with ISDP Leader on enhancement of assessment questionnaire(s), assessment process documentation and templates.
Exercise data privacy related compliance risk analysis to support business decision making and business operation.
Work together with ISDP Leader to handle and resolve local security incidents.
Work together with ISDP Leader on internal ISDP awareness and training program.
Education: Bachelor of Engineering or equivalent, majoring in Computer Sciences or engineering, or information security preferred.
Experience: Minimum 4 years of IT experience, out of which 2 years with IT Security and Data Privacy Protection.
Experience with Information Security and/or Technology Risk Management, servicing retail industry is a plus.
Ability to assess Information Security controls with respect for on premise and cloud-based applications / infrastructure.
Strong understanding of applicable and accepted security and audit frameworks (such as COBIT and ISO), laws and regulations (China Cybersecurity Law, GDPR) & IT general controls
Certifications: Information Security, risk management and data privacy related certification (e.g. CISA, CISM, CISP, CISSP and etc.) will be a plus.
Continuously striving for excellence and simplicity
Safeguarding IKEA's interest as a totality
Governance and compliance
Strong communication skills is a must. The resource should be able to effectively communicate with cross-functional teams and vendors, both written and oral communication is critical.
Fluency (written, spoken and read) in Mandarin Chinese and English; the ability to understand and translate technical documentation from Mandarin Chinese to English, vice versa is required.