DescriptionThe Governance and Control team is a central part of the Cybersecurity and Technology Controls (CTC) department, with primary responsibility to provide robust metrics, data-driven insights, and effective technologies for risk management. We aim to effectively identify, monitor, evaluate, and manage the firm’s Technology and Cyber risks — including but not limited to - operational losses, material risk, regulatory changes, etc. in support of the firm’s strategic plan. We develop comprehensive processes to monitor, assess, and manage the risk of expected and unexpected events that may have an adverse impact on the firm. Risk professionals execute critical day-to-day risk management activities, lead and support projects and contribute to the ongoing advancement of a robust risk management program. Effective coordination with executive management, business units, control departments and technology teams is critical for success.
As an experienced professional in our cybersecurity organization you will be responsible to support and help drive the control evaluation methodology and frame work in the Control Evaluation organization within CTC, you won’t just be watching over our data – you’ll be finding innovative new ways to protect it in the future. To do that, you’ll operate as part of a highly motivated team focused on analyzing, designing, developing and delivering solutions built to stop adversaries and strengthen our operations. You’ll support CORE Leadership to provide advice on best practices and support our business and technology groups on control evaluations. You’ll deploy best practices, new policies and emerging trends to strengthen our strategic roadmap. By presenting your findings to senior leaders, you’ll sharpen your communication and presentation skills. As part of our global team of technologists and innovators, your work will have a critical impact on our company, as well as our clients and our business partners around the world.
Job responsibilities
- Execute firm wide technology risk assessment program (CORE), ensuring proper evaluation of controls and identification of significant control deficiencies.
- Partner closely with Technology stakeholders providing clear direction and guidance during CORE.
- Perform end-to-end control evaluations for control design and control performance evaluations, to validate and ensure proper documentation of evidence in compliance with CORE Program Standards and Procedures.
- Work actively with the Assessment Leads and ISMs to improve technical assessment guidance and evaluation approaches, where appropriate.
- Perform CORE Program Reporting consisting of: weekly status reports; monthly updates for control committees; commentary around KRI/KPI issues and long dated or audit identified issues; CORE assessment results and current risk posture; technology triggers and impact to business operational risk.
- Ensure issues management remediation and control re-evaluation is in line with CORE Standards & Procedures, consisting of: weekly reporting, tracking, and analysis of trends; issues and related action plans & risk acceptances are timely documented, assigned, and resolved; escalation of non-compliance to senior leadership; and assessment stakeholder assignment for control re-evaluation
- Assist with responses to Internal Audit as it relates to assessment program results.
Required qualifications, capabilities, and skills
- Formal training or certification in Information Security practices and 7+ years applied experience
- Have experience with audit and / or technology risk assessment processes and an understanding of internal controls and how they protect the firm and its clients.
- Ability to effectively develop and communicate recommendations based on various technical compliance and control assessment results.
- Experience in software application assessment and controls testing.
- Detail oriented with ability to examine and evaluate processes, controls and issues to determine risk areas.
- Ability to eloquently describe and defend the process followed in performing assessments and evaluating results to stakeholders and management.
- Can work independently and can collaborate comfortably in a matrix organization within a broader team.
- Excellent verbal and written communication skills, including the ability to effectively participate in and sometimes lead discussions and meetings with internal management and other groups involved in technology control assessments.
