This is Permanent role
- Execute day-to-day activities required to support the development of the Technology Risk Oversight (“TRO”) program. Ability to blend and utilize their organizational, technical, business, and cyber security skill-sets.
- Participate in projects and initiatives to bring a pro-active technology risk management focus by utilizing industry best practices.
- Develop a technology risk methodology for risk ranking the Bank’s assets according to business impact (i.e., hardware, software, associated data and supporting capabilities).
- Maintain an up-to-date understanding of internal and external emerging risks; identify potential threats and vulnerabilities to the Bank’s assets to assist in the evaluation of technology risk.
- Provide advice on how to meet technology focused regulatory obligations and assess the impact of proposed regulations through the evaluation of regulatory developments as well as implementation of required controls.
- Collaborate with IT to perform Maturity Assessments for the Bank’s technology risk drivers (e.g., Information Security, IT Strategy, Project Management, etc.) and identify improvement opportunities.
- Maintain an up-to-date understanding of new technology trends; help assess if and how these apply and provide value to the Bank while keeping align to the Bank’s risk tolerance.
- Work with technology and business teams to develop and document IT risk scenarios, related risk analysis, along with risk responses to manage technology risk within their areas.
- Investigate and evaluate technology related operational incidents. This includes assessing the breakdowns and identifying opportunities for internal control improvement.
- Build and analyze the IT Risk Register, Controls Inventory, and Response Register.
- Work on special and or ad-hoc projects as assigned via the Technology Risk Working Group of the Operational Risk Committee (e.g., Governance standards on Asset Management, etc.).
- Assist in the preparation of technology risk related deliverables.
- Bachelor’s Degree in Information Systems, Computer Science or related field preferred. Post graduate degree a plus or equivalent work experience.
- Related security, technical, and/or risk professional certifications desired (e.g., CRISC, CISA, CISM, CGEIT, CSX-P, CCSK v4, CISSP, SANS, AWS, etc.).
- Must have solid understanding of IT risk management concepts and practices;
- Must have solid understanding of common risk and information security management frameworks and/or programs such as COBIT 2019, NIST, FIPS 199, CIS, ISO/IEC 27001, FedRAMP, FFIEC;
- Proficient understanding of cyber security, technology operations (i.e., client server, LAN, UNIX, Windows, DB2, Oracle, SQL, VMWare, firewalls, cloud computing);
- Minimum 6+ years’ experience which may include a combination of IT security, infrastructure, cloud, architecture, data, IT risk/compliance, or IT governance.
- Past participation in either initial certification and/or renewal of ISO/IEC 27001, SOC 2/SSAE18, etc.
- Operating/securing/assessing one of the following areas such as network security, identity access management, vulnerability management, cloud security, penetration testing, or encryption management.
- Working with results generated from vulnerability assessments, penetration tests, threat modeling, and secure code reviews.
- Various IT focused security risk assessments or technical assessments (e.g. related to cloud, network, systems, infrastructure, mobile, and web projects/initiatives).
- Analyzing complex technical systems and the business processes they support; synthesizing the corresponding risks and controls and recommending security solutions and remediation.
- Analyzing data from various sources to identify trends, emerging risks and key insights.
- Defining, developing, implementing, and monitoring KRIs and KPIs.
- Performing IT audits and/or IT SOX reviews.
- Coordinating with risk or audit on IT focused audits or risk assurance projects.
- Financial services and banking industry a plus.