Hybrid - Senior Technology and Security Risk Analyst - Perm Role

This is Permanent role

• Execute day-to-day activities required to support the development of the Technology Risk Oversight (“TRO”) program. Ability to blend and utilize their organizational, technical, business, and cyber security skill-sets.
• Participate in projects and initiatives to bring a pro-active technology risk management focus by utilizing industry best practices.
• Develop a technology risk methodology for risk ranking the Bank’s assets according to business impact (i.e., hardware, software, associated data and supporting capabilities).
• Maintain an up-to-date understanding of internal and external emerging risks; identify potential threats and vulnerabilities to the Bank’s assets to assist in the evaluation of technology risk.
• Provide advice on how to meet technology focused regulatory obligations and assess the impact of proposed regulations through the evaluation of regulatory developments as well as implementation of required controls.
• Collaborate with IT to perform Maturity Assessments for the Bank’s technology risk drivers (e.g., Information Security, IT Strategy, Project Management, etc.) and identify improvement opportunities.
• Maintain an up-to-date understanding of new technology trends; help assess if and how these apply and provide value to the Bank while keeping align to the Bank’s risk tolerance.
• Work with technology and business teams to develop and document IT risk scenarios, related risk analysis, along with risk responses to manage technology risk within their areas.
• Investigate and evaluate technology related operational incidents. This includes assessing the breakdowns and identifying opportunities for internal control improvement.
• Build and analyze the IT Risk Register, Controls Inventory, and Response Register.
• Work on special and or ad-hoc projects as assigned via the Technology Risk Working Group of the Operational Risk Committee (e.g., Governance standards on Asset Management, etc.).
• Assist in the preparation of technology risk related deliverables.

• Bachelor’s Degree in Information Systems, Computer Science or related field preferred. Post graduate degree a plus or equivalent work experience.
• Related security, technical, and/or risk professional certifications desired (e.g.,
  CRISC, CISA, CISM, CGEIT, CSX-P, CCSK v4, CISSP, SANS, AWS, etc.).

• Must have solid understanding of IT risk management concepts and practices;
• Must have solid understanding of common risk and information security management frameworks and/or programs such as COBIT 2019, NIST, FIPS 199, CIS, ISO/IEC 27001, FedRAMP, FFIEC;
• Proficient understanding of cyber security, technology operations (i.e., client server, LAN, UNIX, Windows, DB2, Oracle, SQL, VMWare, firewalls, cloud computing);

• Minimum 6+ years’ experience which may include a combination of IT security, infrastructure, cloud, architecture, data, IT risk/compliance, or IT governance.
• Past participation in either initial certification and/or renewal of ISO/IEC 27001, SOC 2/SSAE18, etc.
• Operating/securing/assessing one of the following areas such as network security, identity access management, vulnerability management, cloud security, penetration testing, or encryption management.
• Working with results generated from vulnerability assessments, penetration tests, threat modeling, and secure code reviews.
• Various IT focused security risk assessments or technical assessments (e.g. related to cloud, network, systems, infrastructure, mobile, and web projects/initiatives).
• Analyzing complex technical systems and the business processes they support; synthesizing the corresponding risks and controls and recommending security solutions and remediation.
• Analyzing data from various sources to identify trends, emerging risks and key insights.
• Defining, developing, implementing, and monitoring KRIs and KPIs.
• Performing IT audits and/or IT SOX reviews.
• Coordinating with risk or audit on IT focused audits or risk assurance projects.
• Financial services and banking industry a plus.