This position needs to deeply understand the complexity of Chinese regulations and technologies. This position will be responsible for implementation and ongoing operation / enhancement of the related process / governance, IT network and systems etc., in regards to compliance to CSL and related regulations, and Lilly global information security requirements for Lilly China including Commercial, LCDDMAC, Research/LCIP which are located in Shanghai and registered with Shanghai authority (Suzhou Manufacturing is out of scope), in cooperation with cross-functional teams. This position should play as a key contact person working with the related local government agencies for cyber security / information security related matters (communicating in Chinese language) as well.
Local government officers – provide necessary information and technical support with government authorities in coordination with Lilly cross functional teams
Local business partners – understand the business needs and provide necessary support and solution based on the specific security requirements, such as personal information protection and business cases involving cross-order data transfer.
Local IT & technical support teams (Internal & external) – pursue with Security By Design principal and incorporate necessary information security standards into a new system or enhancement design and technical selection criteria. For example, log collection, encryption or deidentification of Sensitive Personal Information
Local service providers / vendors – engage in vendor assessment from information security perspective and help Lilly China select the right solution or service in compliance with China regulations and global information security standards.
Global Information Security – cooperate for CSL impact/risk assessment and enhancement. Work with an incident at cyber space and its resolution. Understand Lilly standards of security and related controls (RED Application SOP etc.) and localize / implement accordingly in Lilly China
Legal team – partner with legal team to have a clear context on laws and to understand potential legal risks and technical implication, and to prepare appropriate implement plan
Implementation and on-going support on compliance of China Cyber Security Law and other related regulations
Follow-Ups from the initial assessment Implement identified action items and mitigate risks. Key activities to take a. Localize Information Security Incident/Emergency Response Plan and Incident Management SOP. b. Update local IT procurement policy to ensure technical solutions/products are properly certified by government c. Update logs collection, retention (~ 6 months), and monitoring related policies and standards d. Annual Drill Incident Management Process including BCP/DRP for Security Incident case e. Encrypt personal sensitive information using approved encryption products* f. Work with business partners to perform a cleanup of unnecessary (out of date) personal information. Create a new process to monitor and perform regular cleanups Be engaged in and support LCDDMAC/MFG assessment. Cooperate on action items that have an impact at the affiliate level
Key liaison between Lilly China and Chinese regulators / government agencies for cyber security matters in Chinese under supervisor’s supervision .
Provide technical support and assistance to the public security authority or national security authority in coordination with cross functional teams (Information Security, IT, Legal, Business functions, and etc.)
Plan and coordinate annual events (self-assessments, Incident Response drill, cross-border data transfer assessment, etc.) and execute, document, and update stakeholders with status and result
Work with IT quality and Service team to ensure that activities required by law (such as audit trails, system logs and other monitoring data sources etc.) are reviewed periodically and are in compliance with policies and regulation requirements. Continue to evaluate and implement remediation plan as new regulations are released. Including, but not limited to
Multi-level Protection Scheme Ver 2.0
Grade all legacy systems (Level 1 to 5)
Conduct self-assessment and registration (Level 2 or Above)