Team Profile
Security, Testing, Assessments & Risk (STAR) enables our company’s business to appropriately manage its risk by providing products and services that provide transparency; continuously protect the Firm's interests; and evolve with changing risk landscapes. Our service within STAR is focused on protecting the Firm by ensuring in-scope technologies deployed internally, products purchased, and services used meet requirements that include the Firm’s Policies, external guidelines, regulatory expectations, and appropriate controls in the areas of information security, secure design, and cyber security.
The Technology Control Assessment (TCA) group runs an IT system owner self-assessment function which focuses on assessing compliance with Technology controls. This program operates within the global framework, regulatory and industry best practice, while partnering with various stakeholders to ensure that objectives of the relevant programs are met. As a result of the recent acquisition of E*TRADE by our company, TCA is expanding assessment coverage to include E*TRADE’s controls, processes, procedures, and technology assets.
Primary Responsibilities
The role’s responsibilities include:
- Using Risk and Control Framework (RCF), identify the corresponding controls in place at E*TRADE
- Plan, oversee, and review the execution of a detailed self-assessment of compliance to RCF controls
- Provide regular management reporting on progress
- Build strong positive relationships with the E*TRADE Information Security / Risk community, Internal Audit, Operational Risk Department, and Risk Officers.
- Deliver program specific communications to stakeholders on risk and control related matters e.g. technology governance forums
- Perform a detailed review of high risk systems with high levels of non-compliance
- Present results to stakeholders, senior management and other relevant parties
- Prepare documentation of identified risks and issues for reporting in centralized issue / risk tracking applications
Experience
- Working knowledge of key Technology concepts e.g. data classification, protection, policies, governance, privacy, security assessment tools
- Understanding of key concepts related to risk assessment and controls
- Engages in process-based thinking to effectively obtain, analyze and interpret information, identify root causes of problems, and draw the appropriate conclusions
- Working knowledge of technology applications and can identify and validate risk and controls
- Understanding of the relevant local technology risk regulations and the associated application to a financial services business
Desired Skills and Competencies
- Excellent written and verbal communication skills
- Expertise working with the Archer tool
- Good organizational skills; a high degree of attention to detail and ability to manage multiple priorities
- Business/Product Knowledge: Familiarity and experience with electronic trading platforms is a strong plus, but is not required
Education, Background & Experience Required
Education: Bachelor's degree
A minimum of 5 years of relevant risk experience from roles in any of the following:
- Audit (internal or external)
- Risk Officer / Information Security Officer
- Technology Risk Governance
- Risk Assessment (e.g., RCSA)
- Control Testing (e.g., SOX)
- Information Security / IT Security (e.g., Entitlements Management, Segregation of Duties, Threat Management, Penetration Testing, Strategy)
- Regulatory (e.g., working as a financial services regulator or having experience dealing with regulators)
- Technology / Information Security Policy / Procedures
- Process/Risk/Control Frameworks, e.g., COBIT
Qualifications Desired
Certifications: Attainment of the following certifications is a strong plus, but not required
- Certified Information Systems Auditor (CISA)
- Certified in Governance for Enterprise IT (CGEIT)
- Certified Internal Auditor
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
- Certified in Risk and Information Systems Control (CRISC)
- ISO 27001 Auditor
