Vacancy expired!
- Reporting to the CISO, the Manager Information Security Risk will over see all first line information security risk management activities that protect Client and its clients while complying with applicable regulations and Client policies. The Manager Information Security Risk provides leadership and direction for the organization’s security policies and security risk management processes by establishing a framework of controls so that the Client can manage risk, meet regulatory compliance and maintain governance over all aspects of IT. This role will oversee and monitor the Information Security and IT organization responses to all audits and assessments and track the remediation of risks and issues in alignment with the ERM issues management and risk reporting processes. The role includes implementation and maintenance of policies, as well as training and awareness plus vendor risk management responsibilities. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business-critical. This role will work closely with second and third line risk leaders.
- In partnership with IT, business and security teams, direct and conduct ongoing security risk analysis organization-wide and elevate the company’s security posture.
- Serve as a subject matter expert and trusted advisor as part of establishing relationships to support risk-based decision making across business, IT and the broader stakeholder community at the Client.
- Lead the Technology Risk Committee meetings to oversee technology and information security risks in the Client. Design and compile reports of the Technology Risk Committee activities for the Operational Risk Committee and, when appropriate, to the Executive Risk Committee of the Client on a quarterly basis or more frequently as necessary.
- Ensure that prudent technology and information security risk management practices are deployed in the Client and take action to track and remediate risk when those risks are determined to have a threat to the Client’s safety, soundness, or reputation. Track risks and issues and ensure their on schedule remediation in alignment with the ERM issues management process.
- Establish and maintain processes for managing security-related audits, control assessments, compliance checks and external assessments across Business, IT and Information Security. Ensure timely and complete responses to evidence requests and compile management responses and remediation plans as needed.
- Emphasize the application of privacy, security, business resiliency and compliance frameworks including but not limited to, FFIEC (Federal Financial Institutions Examination Council), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Service Organization Controls (SOC) 1, PCI and ITIL V3/4 processes.
- Build out and manage the Information Security Controls Assurance Program to evaluate risk and controls by executing targeted testing of first line operated control processes.
- Develop and publish policy, standards and procedures for implementation based on the Client’s risk appetite, industry best practice guidance and based on a detailed knowledge of the regulatory and stakeholder requirements.
- Work closely with the Enterprise Risk Management team to design and maintain a risk and controls matrix mapped to applicable regulatory and selected framework controls and in alignment with the agreed risk appetite. In addition facilitate a Risk and Control Self-Assessment (RCSA) across IT and Information Security.
- Participate in the vendor risk assessment process and provide security risk assessment services and contract reviews to ensure that third parties meet the Client’s information security control requirements.
- Develop and implement a cyber-security training and awareness program across the Client.
- Contribute to and validate metrics used in assessment of security program success and report them regularly to security and business leadership.
- Bachelor’s degree in Information Security, Computer Science, Management of Information Systems, or related field required. Master’s degree in a related field is an advantage.
- Minimum of 8 years’ experience in one or more information security roles, including security risk analysis and control design, compliance and risk management, security control process assurance or audit of technology controls.
- Demonstrated deep background (preferred 4+ years) in risk treatment, controls selection and information security controls process design.
- Direct hands-on experience with information security policies, standards, and industry leading practices is essential.
- Demonstrated experience with security processes and technology solutions that align with controls for FFIEC, SOX Section 404, ISO 27001/2, FISMA or National Institute of Standards and Technology (NIST) 800-53 Rev4 or Rev5 guidelines is required.
- Professional security risk management certification is required, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials.
- Strong team and organizational management skills, and track record of delivering security governance, risk and compliance projects under tight deadlines.
- 3 or more years’ experience managing distributed team personnel.
- Capable of working with diverse teams and promoting a positive enterprise-wide security culture.
- Demonstrated project management, multitasking and organizational skills.
- Detail-oriented, with excellent written and verbal communication skills, interpersonal and collaborative skills
- Self-driven and able to work in an agile team within a large enterprise organization, as well as independently.
- High level of personal integrity, high degree of initiative, dependability and ability to work with limited supervision.