IRM Lead Specialist

  • Competitive
  • London, England, United Kingdom
  • Permanent, Full time
  • BNY Mellon
  • 25 Sep 16

IRM Lead Specialist

For over 230 years, the people of BNY Mellon have been at the forefront of finance, expanding the financial markets while supporting investors throughout the investment lifecycle. BNY Mellon can act as a single point of contact for clients looking to create, trade, hold, manage, service, distribute or restructure investments & safeguards nearly one-fifth of the world's financial assets. BNY Mellon remains one of the safest, most trusted and admired companies. Every day our employees make their mark by helping clients better manage and service their financial assets around the world. Whether providing financial services for institutions, corporations or individual investors, clients count on the people of BNY Mellon across time zones and in 35 countries and more than 100 markets. It's the collective ambition, innovative thinking and exceptionally focused client service paired with a commitment to doing what is right that continues to set us apart. Make your mark: bnymellon.com/careers.

Risk and Compliance provide risk and compliance services across all BNY Mellon businesses. Organizationally, Risk and Compliance includes the following groups: Risk Management, Compliance, Global Corporate Security, Information Risk Management and Global Business Continuity. Risk Management oversees and delivers risk services and ensures new business risks are reviewed and approved. Risk Management is organized through Chief Risk Offices for each core business and critical operation. Risk managers provide shared support to BNY Mellon for operational risk services for Global Corporate Trust, Depositary Receipts, Treasury Services and Global Operations in EMEA. Compliance helps ensure BNY Mellon's businesses maintain appropriate processes to comply with applicable laws, regulations, BNY Mellon policies and ethics. This is accomplished through business- and business partner-specific teams of professionals, under centralized global management.

Description
Team Description:
 
The role is part of the Information Risk Management (IRM) organisation at Bank of New York Mellon. IRM is comprised of 6 main teams:

  • Risk and Control Governance
  • Technology Risk Management (Application Assessments, Infrastructure Assessments, Service Provider Management & Risk Strategy)
  • Information Security
  • Identity and Access Management
  • Chief Administrators Office
Job Purpose:
 
This role will be part of the Infrastructure Assessments team, which is part of Technology Risk Management International. The Technology Risk Management International Assessments team has staff based in Singapore, Dublin, Manchester and London. The Team has responsibility for:
 
Network Security Assessments
  • Application Security Assessments
  • Service Provider Management (SPM)
  • Mergers and Acquisition (TRM due diligence and subsequent integration risk assessment)
  • The Information Risk Specialist role will be based in our London Queen Victoria Street office.

The UK team have primary responsibility for Infrastructure Security Assessments and Network Security Assessments in the EMEA region. Support is also provided to the US teams.
 
Responsibilities: (Key parts to the job role)
 
To ensure the integrity and reliability of Company data and systems, through appropriate technology risk assessment. This includes involvement in business and IT projects to ensure that appropriate controls are built in from the earliest stages. The responsibilities of the team include (with overall approximate percentage of time spent on each):
  • Technology Infrastructure and Network Security Assessments (35%)
  • Consultancy Requests (15%)
  • Duty Officer Role - Firewall/URL change request approval, Reconciliation of firewall changes (15%)
  • Firewall Policy Compliance & Rule Usage Reviews (15%)
  • Issues and Exceptions processing and tracking (10%)
  • Other (10%)

In addition to these areas, the team is also engaged in general Information Security Consulting to the EMEA/Asia Pac businesses

Range of Activities (Proportionally more than 5% of time)

  • Technology Infrastructure Assessments (35%)
  • Technology Infrastructure Assessments for new, changed and existing systems in accordance with the BNY Mellon Information Security Policies, Standards and Procedures.
  • Works with the Business and Technology teams to identify security issues and agree corresponding actions to mitigate or accept risks.
  • If risks cannot be mitigated, works with the business to request a policy exception.
  • Tracks issues and agreed actions to completion. Escalating issues to the Head of International Assessments where necessary.
  • Project Consultancy (15%)
  • Project Consultancy for new, changed and existing systems in accordance with the BNY Mellon Information Security Policies, Standards and Procedures.
  • Works with the Business and Technology teams to identify security issues and agree corresponding actions to mitigate or accept risks.
  • If risks cannot be mitigated, works with the business to request a policy exception.
  • Tracks issues and agreed actions to completion. Escalating issues to the Head of International Assessments where necessary.
  • Duty Officer Role - Firewall/URL change request approval, Reconciliation of firewall changes (15%)
  • Duty Officer is a role performed by the team to:
  • Assess firewall changes with a view to approval
  • Firewall change reconciliation
  • Assess URL access requests with a view to approval
  • Ad-hoc requests for TRM support/guidance
  • Firewall Policy Reviews (15%)
  • Perform firewall policy reviews using the firewall analysis tools in compliance with the Information Security Policies, Standards and Procedures as required by the business. This typically takes place once a year but there may be ad-hoc requirements to perform policy reviews.
  • Issues and Exceptions processing and tracking (10%)
  • As a result of the above responsibilities, Issues and Exceptions to policy will be generated. Using the company risk management tool to create and track issues and exceptions, the associated risks will be followed through to conclusion.
  • Other (10%)
  • Support other teams within TRM in their responsibilities e.g. Acquisitions/Mergers & Divestitures
  • Ad-hoc requests for TRM support/guidance
  • Attending key meetings across the organisation
  • Service Provider Management - working with our service provider management team to help assess risks at service providers and vendors.
.

Qualifications
Requirements; (what we are looking for)
 
This is generally a 'hands off' role - the successful candidate will have no responsibility for actually carrying out security changes such as adding users, installing or configuring applications, etc. IT and others carry out changes under the supervision and instruction of TRM where relevant. However, a certain level of knowledge is required when working with technicians to know what is required, possible and achievable in technical areas.

The successful candidate must have:
 
  • Strong experience in a Technology Risk, Information Security or an IT Audit role;
  • A professional qualification, relevant to Information Security (such as MSc, CISSP or CISM);
  • A thorough understanding of Risk Assessment approaches and methodologies;
  • A good understanding of normal network infrastructure such as VPNs, firewalls, switches, routers, LANs, etc.;
  • Experience of formal document creation, such as the creation of reports or procedures;
  • Experience of carrying out risk reviews, technology audits or other similar work;
  • Thorough understanding of the ISO 2700X series of standards and guidelines; and
  • Strong MS Office skills (core applications).
  • Some or all of the following will be of advantage…
  • Knowledge or practical experience of one or more of the following products:
  • Archer Technologies SmartSuite Framework.
  • Algosec Firewall Analysis Tool
  • Tufin Operations Management
  • Juniper/Checkpoint/CISCO firewall management
  • URL Filtering products
  • Other professional qualifications/memberships, relevant to Information Security (Institute of Information Security professionals, CISA or QICA).

Key Skill and Attributes:
  • A keen eye for an opportunity to improve existing process and take the initiative to promote such an enhancement.
  • Must take accountability for their actions and be open and honest when things have gone wrong, and celebrate successes when things have gone well.
  • Able to co-operate and work well with others adopting an approachable style - Important as we work closely with a large and diverse set of suppliers and customers.
  • Must be rigorous and thorough - especially when logging and tracking issues through to conclusion
  • Candidate must be able to manage their own workload and run several tasks concurrently so as to meet the realistic targets and priorities set in conjunction with management. This is especially important because we work in an environment where priorities can change quickly and with little prior warning. Demonstrate a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in the role of Risk Assessment in business.
  • Demonstrates a calm professional approach, with a good understanding of time constraints and the need to escalate/inform departmental management as appropriate.
  • Understands their own shortfalls and knowledge gaps. Not afraid to acknowledge a gap and work on strategies to address them.
  • Adapts personal approach to suit situations, individuals, groups and cultures. Is flexible in relation to getting the job done.
  • BNY Mellon often goes through periods of change and it is therefore critical that this person adapts to changes in the organisation and job responsibilities and displays a positive attitude.
  • Must be able to see the customer perspective, i.e. from a business point of view, the most secure solution is not always workable or realistic considering costs and benefits.
  • Able to express clearly and fluently, both orally and in writing. Considers the audience, avoiding technical jargon wherever necessary and appropriate.
  • Documentation must be professional, well-structured and presented and require the minimum management review and revision. This is especially important.
  • Good at listening and analysing a situation or the information provided.
  • Works well with others or individually. Supports the development of the team as a whole, places team before personal interests.
  • Shows respect for others and recognises their concerns and interests.
 

BNY Mellon is an Equal Employment Opportunity Employer.

Primary Location: United Kingdom-Greater London-London
Job: Audit/Compliance/Risk
Internal Jobcode: 32946
Organization: Information Risk Management-HR06032
Requisition Number: 1611218