Business Information Security Officer

  • Competitive
  • Shanghai, Shanghai Shi, China
  • Permanent, Full time
  • Citi China Company Limited 花旗中国
  • 18 Jan 17

Business Information Security Officer

  • Primary Location: China,Shanghai,Shanghai
  • Education: Bachelor's Degree
  • Job Function: Technology
  • Schedule: Full-time
  • Shift: Day Job
  • Employee Status: Regular
  • Travel Time: No
  • Job ID: 16078652


  • Provides general IS consulting services including interpretation and/or clarification.
  • Supports the business by reviewing Third Party contract language as it relates to IS.
  • Helps security incident response teams resolve and close the investigation of incidents with proactive suggestions.
  • Assists in the definition and implementation of IS standards at the business level to ensure that procedures and practices comply with Citi standards.
  • Enforces compliance; demonstrates extensive understanding of IS standards and best practices across multiple disciplines.
  • Assists with Third Party IS Assessment (TPISA) follow-up.
  • Reviews status of business IS program and oversees corrective action when necessary.
  • Develops corrective action language for all IS-related gaps and approves all closures by reviewing evidence to ensure the closure meets Citi requirements or industry best practices.
  • Collaborates to create Risk Acceptances (RAs), Risk Exceptions (REs), and Corrective Action Plans (CAPs) in the appropriate tools (iCAPs, CIRAS, etc.).
  • Ensures that approvals and reviews are executed when needed.
  • Ensures IS Risk Assessment is performed according to Citi standards by partnering with the businesses throughout the ISRA process and determines the impact of control deficiencies.
  • Engages a TISO, SME or another senior ISO where additional technical knowledge is required
  • Additional ad-hoc IS & Risk related initiatives and projects


  • Bachelor's degree in Computer Engineering, Computer Science, or related discipline
  • Minimum 3 years of working experience in IS and at least 2 IS programs including, but not limited to, Audit Reviews, Risk Assessment, Awareness & Training, Identity Access & Management, Data Protection, Incident Management, Vulnerability Assessment. Knowledge of key government regulations and local laws.
  • Solid business experience, preferably in risk management activities.
  • Well understand the IS risks that are inherent to a business.
  • Strong communication skill both for oral and writing in Chinese and English
  • Responsible and Reliable
  • Minimum one held or working toward (CISSP, CISM, CISA)