信息安全经理 Information Security Manager

信息安全经理

业务部门: 技术与数字

工作地点-国家/地区: 上海, 中国

职位介绍：

作为信息安全经理，您的主要职责是在公司数字产品和平台中推动隐私设计理念的落地，确保隐私要求在系统和产品开发生命周期中得到有效集成。您需要深入理解中国隐私法律法规及相关技术标准，并将这些要求转化为可执行的技术规范和流程指南，推动隐私与安全相关的技术和流程改进。该角色要求您在法律、信息安全和工程团队之间发挥桥梁作用，确保隐私和安全要求在产品和系统中得到落实。同时，您将撰写高质量的技术文档和实施指南，管理跨职能项目，并通过影响关键利益相关方来实现隐私合规和信息安全目标。该职位隶属于信息安全团队，并与隐私法律职能保持紧密协作。

工作内容：

• 解读并持续监控中国隐私法律（如《个人信息保护法》《数据安全法》《网络安全法》）及相关 GB/T 技术标准的技术要求，并将其转化为可执行的技术规范和流程指南；
• 在软件开发生命周期（SDLC）中定义隐私工程要求和检查点，确保其融入产品开发流程；
• 将隐私非功能性需求（NFR）纳入设计评审和版本发布；指导并推动工程和产品团队实施隐私控制措施，如数据最小化、加密、去标识化、数据保留、日志与可审计性、基于角色的访问控制以及同意管理等；
• 维护系统中个人数据的最新清单，并支持隐私影响评估（DPIA）及跨境数据传输评估；
• 审查第三方 SDK、跟踪器和云配置，支持供应商隐私评估、隐私影响评估及跨境数据传输评估，确保符合隐私要求；
• 作为隐私项目经理，领导隐私相关举措在技术与数字团队中的实施，确保按时交付并降低风险；
• 与法律、信息安全、技术与数字团队及业务团队协调合作，将隐私要求嵌入产品和流程；
• 为内部利益相关方及监管用途准备文档、演示材料和报告；
• 与隐私法律团队合作，开展隐私意识培训，推动组织内隐私合规文化建设；
• 支持与个人数据相关的事件响应活动，包括文档记录和经验总结。

我们希望您：

• 计算机科学、信息安全、软件工程或相关领域的本科及以上学历；
• 6–10 年隐私工程、信息安全或隐私合规相关工作经验，具备 IT 项目管理经验者优先；
• 深刻理解中国隐私法规（《个人信息保护法》《数据安全法》《网络安全法》）及相关 GB/T 标准；熟悉国际隐私框架（如 GDPR）者更佳；
• 能够理解并清晰解释隐私相关技术概念（如加密、去标识化、假名化），并将其转化为可执行的指南；
• 具备管理跨职能项目并推动合规举措落地的成功经验；
• 优秀的英文书写能力，能够为技术和非技术受众撰写清晰、详细的指南和文档；
• 出色的沟通、演示和人际交往能力；中英文听说读写流利。

Information Security Manager

Line of Business: Technology & Digital

Location: Shanghai, China

Job Summary:

As an Information Security Manager, your primary duty is to embed Privacy by Design principles across our digital products and platforms, ensuring privacy requirements are integrated throughout the system and product development lifecycle. In this role, you will interpret technical requirements under China’s privacy laws and relevant standards, translate them into actionable technical and process guidelines, and drive the implementation of privacy and security initiatives across Tech & Digital. Acting as a bridge between Legal, InfoSec, and Engineering teams, you will ensure compliance is built into products and systems from the ground up. The ideal candidate will have a strong IT or engineering background, excellent written English skills for drafting detailed technical guidelines, and proven ability to manage cross-functional projects and influence stakeholders. This position is part of the Information Security team, with close collaboration and dotted-line reporting to the Privacy Legal function.

Key Responsibilities:

• Interpret and monitor the technical requirements under China privacy laws (PIPL, DSL, CSL) and relevant GB/T standards, and translate them into actionable technical and process guidelines.
• Define privacy engineering requirements and checkpoints within the SDLC and ensure they are integrated into product development processes.
• Bake privacy NFRs into design reviews and releases; guide and drive engineering and product teams on implementing privacy controls such as data minimization, encryption, de-identification, retention, logging/auditability, role-based access, consent management, etc.
• Maintain an up-to-date inventory of personal data across systems.
• Review third-party SDKs, trackers, and cloud configurations, and support vendor privacy assessments, privacy impact assessments and cross-border data transfer evaluations to ensure compliance with privacy requirements.
• Act as a privacy project manager role to lead the implementation of privacy initiatives across Tech & Digital, ensuring timely delivery and risk mitigation.
• Coordinate with Legal, InfoSec, T&D, and business teams to embed privacy requirements into products and processes.
• Prepare documentation, presentations, and reports for internal stakeholders and regulatory purposes.
• Work with Privacy Legal to deliver privacy awareness training and promote a culture of privacy compliance within the organization.
• Support incident response activities related to personal data, including documentation and lessons learned.

Desired Qualifications:

• Bachelor’s degree in Computer Science, Information Security, Software Engineering or related field.
• 6–10 years of experience in privacy engineering, information security, or privacy compliance, with IT project management experience preferred.
• Strong understanding of China privacy regulations (PIPL, DSL, CSL) and relevant GB/T standards; familiarity with international frameworks (e.g., GDPR) is a plus.
• Ability to understand and explain technical privacy concepts (e.g., encryption, de-identification, pseudonymization) and translate them into actionable guidelines.
• Proven experience in managing cross-functional projects and driving implementation of compliance initiatives.
• Excellent written English skills, with the ability to produce clear, detailed guidelines and documentation for technical and non-technical audiences.
• Excellent communication, presentation, and interpersonal skills; fluent in Chinese and English (written and spoken).