Information Security - Identity Lifecycle Management

Information Security - Identity Lifecycle Management

Contract: Permanent/Full time

Location: Milano, IT

Main responsibilities:

• Information Security Planning – Plan and estimate budget and time schedule for activities to be included into Information Security Master Plan.
• Oversight on maintenance and implementation of Information Security policies / procedures – Ensure the oversight of the implementation of the activities, identifying and reporting issues, risks and opportunities to the CISO / relevant stakeholders.
• Design and deliver awareness campaigns, workshops, and training initiatives tailored to different audiences.
• Support the selection and evaluation of training content and platforms, in collaboration with HR, Communication and other providers.
• Contribute to the definition and review of Identity Lifecycle models and controls and Segregation of Duties (SoD) in collaboration with Business owners, IT, HR, Risk Management, Privacy and Compliance, Internal Control and Internal Audit.
• Lead and coordinate the Identity Lifecycle and SoD projects for non-finance areas (i.e. SAP modules MM and SD), ensuring the extension of Identity Management governance to all business applications and data repositories.
• Collaborate with HR Business Partners (HRBP), Business Process Owners (BPO), and IT to define, implement, and maintain a centralized Role-Based Access Control (RBAC) library.
• Map, monitor, and evaluate application profiles (especially administrative roles) for non-finance departments, identifying anomalies and enforcing segregation of duties.
• Supervise and execute risk assessments for access requests outside the standard RBAC library, defining exception workflows and compensating controls.
• Validate new access or function requests against the approved role library and assess risks for exceptions or non-standard assignments.
• Define and enforce control processes for access provisioning, exception handling, and periodic reviews, including onboarding, role/function changes, and offboarding.
• Collaborate on the design and implementation of automated processes for onboarding, role changes, and offboarding, ensuring integration with HRIS and target systems.
• Support the periodic review and maintenance of the RBAC role library, working closely with HRBP and BPOs to refine roles and ensure SoD is maintained.
• Participate in incident investigations related to identity and access management, analyzing root causes and recommending improvements to lifecycle and SoD controls.
• Promote awareness and training on SoD principles and identity governance among business stakeholders, HR, and IT.
• Act as a governance and control point within the Identity Lifecycle Management process, ensuring that access delegation requests are appropriate, risk‑assessed, and aligned with the RBAC model and SoD process.
• Contribute to the definition and review of SoD models and controls in collaboration with IT, Internal Control, HR, Risk Management and Internal Audit.
• Define and maintain a comprehensive KPI framework for RBAC lifecycle governance, including the design of automated dashboards and anomaly‑detection metrics, the setup of threshold‑based alerts and escalation workflows, and the regular reporting of access‑governance performance and identified risks to the appropriate security and risk committee.

Main requirements:

• Bachelor’s degree in information security, Information Technology, Computer Science, Engineering, Statistical or similar.
• At least 2 years of experience gained in the ICT Risk Management or Security area with particular focus on the Identity Management and Segregation of Duties.
• Knowledge of SAP Basis especially on User Profile & Security Management.
• Knowledge of SAP GRC tool for risk analysis.
• Knowledge of relevant business processes (i.e. Make ‑ to ‑ Deliver, Procure to Pay, Hire to Retire).
• Knowledge of international standards and best practices in domain of Information Security, Data Protections and Business Continuity (e.g. GDPR, ISO 27001, NIST 800‑53, NIS2 etc.).
• Knowledge of relevant Information Security / Data Protection laws and regulations (e.g. Privacy, Health sensitive information, PCI DSS).
• Understanding of regulatory requirements for AI systems (ISO/IEC 42001:2023).
• Good project management skills, teamwork and individual accountability.
• Adequate data analytic fundamental skills.
• Proven ability to communicate to all levels in a technical and non‑technical manner.
• Knowledge about most common IT Security solutions.
• Excellent oral and written English language skills.

Optional requirements:

• Professional information security certifications (such as CISM, ISO 27001 Lead Auditor, CISSP, CISA).

What’s in it for you:

• Access to our cutting‑edge learning platform, Leonardo, and personalized development programs to help you grow professionally and personally.
• Enjoy flexible work conditions, health insurance coverage, ticket restaurants, internal rooftop canteen.
• Access special offers for employees on a vast range of eyewear, eye care products, and fashion apparel, so you can enjoy our world‑class brands firsthand.
• Enjoy our “Disconnect Program” a holistic approach to work‑life balance, including initiatives for mental health, yoga, jogging sessions, and more, designed to help you recharge and stay healthy.

Salary Package:

• Supplementary Health insurance coverage.
• Supplementary Pension Plan.
• Access to the EssilorLuxottica Corporate Welfare Catalog.
• Transportation – Discounted pass.
• Meal Vouchers as per company guidelines.
• Exclusive employee discounts on company products.
• Company‑provided laptop and mobile phone.

Our Diversity, Equity and Inclusion commitment

We are committed to creating an inclusive environment for all employees. We celebrate diversity and provide equal opportunities to all, regardless of race, gender, ethnicity, religion, disability, sexual orientation, or any other characteristic that makes us unique.