• Competitive
  • Hong Kong
  • Permanent, Full time
  • Citi
  • 2018-10-19

Information Security Continuity of Business and Controls Manager

Information Security Continuity of Business and Controls Manager

  • Primary Location: Hong Kong SAR of PRC,Hong Kong,Hong Kong
  • Education: Bachelor's Degree
  • Job Function: Technology
  • Schedule: Full-time
  • Shift: Day Job
  • Employee Status: Regular
  • Travel Time: No
  • Job ID: 18062500


Description

Replacement for Information Security and Risk & Control Officer for Hong Kong.
The primary role of the Information Security (IS) and Risk & Control Manager is to execute control and risk management programs for Citi Technology Infrastructure Hong Kong, including the following:
Risk and Control Officer Roles
  • Manage internal, external, regulatory and other audits end-to-end, act as audit liaison, interface as required and providing proper perspective on risks & issues.
  • Independently assess the effectiveness of controls, determine the impact of control issues, identify corrective action, and track issues to closure. Collaborates to create Risk Acceptances (RAs), Risk Exceptions (REs), and Corrective Action Plans (CAPs) in the appropriate tools (iCAPs, CIRAS, etc.).
  • Planning, leading, and executing strategic/tactical initiatives on controls and risk management
  • Provide consultation on controls and risk management.
  • Oversee execution of compliance program activities including Manager's Control Assessment (MCA), Issue Management, Insurance Questionnaire, Audit Business Monitoring and Records Management.
  • Developing and delivering reports and metrics for management
  • Coordinate periodic reporting; analyze self-assessment, Governance oversight and audit results; and formulate remedial solutions
  • Work with management to instill a proactive risk management approach and its awareness
  • Maintain, distribute and conduct training on overall risk management process and / or procedural changes
  • Ensure compliance to Citigroup Information Technology Management Polices (CITMP) and Standards
Business Information Security Officer (BISO)
  • Communicates and interacts regularly with employees and business management on IS related programs, policies, and standards Integrates Business and Regional TISO/GISO priorities into day-to-day business
  • Accountable for all IS activities that are relevant to the Business they support
  • Provides general IS consulting services including interpretation and/or clarification
  • The BISOs primary area of focus is the IS Risk Management for the Business they support and its processes
  • Helps security incident response teams resolve and close the investigation of incidents with proactive suggestions
  • Assists in the definition and implementation of IS standards at the business level to ensure that procedures and practices comply with Citi standards
  • Enforces compliance; demonstrates extensive understanding of IS standards and best practices across multiple disciplines
  • Reviews status of business IS program and oversees corrective action when necessary
  • Develops corrective action language for all IS-related gaps and approves all closures by reviewing evidence to ensure the closure meets Citi requirements or industry best practices
  • Engages a TISO, SME or another senior ISO where additional technical knowledge is required
  • Ensures IS awareness materials are distributed per CISS requirements. Monitors/tracks IS training per CISS requirements
  • Ensures IS Risk Assessment is performed according to Citi standards by partnering with the businesses throughout the ISRA process and determines the impact of control deficiencies
  • Educates and advises the business on safe IS practices and current, changing, and/or recommended IS requirements
  • Plans and executes the IS strategy Provides periodic IS risk management reports highlighting key issues and corrective action plans
  • Reports to a business manager with a matrix line to a GISO or reports directly to a GISO


Qualifications

  • Bachelor's degree in a related field; or equivalent work experience
  • 5-8 years experience in any one area or combined areas of control, risk management, compliance, audit and IT/business project management
  • [Note: A non-graduate with strong experience and relevant job exposure to information security, audit or risk management functions are welcome to apply.]
  • Experience in Risk Management, Program / Project Management, Continuity of Business or Control & Compliance, Application Security risk assessment
  • Able to work under pressure, meet tight deadlines and crisis management with non-office hour support
  • Exposure/familiarization of various regulations governing IT from the Hong Kong Monetary Authority (HKMA) is definitely beneficial
  • Strong understanding of technology infrastructure and information security products
  • Good understanding of the Information control areas including authentication, authorization, access control, auditing, cryptography for applications
  • Broad knowledge of the interactions of Business and Technology organization; ability to manage expectations and maintain key relationships with the business, other Technology groups and vendors; strategic and critical thinking skills
  • Excellent verbal and written communication skills; solid influencing, facilitation and partnering skills, vender management skills
  • Able to work with people from different levels independently with minimal supervision
  • Proficient in MS Office products, particularly PowerPoint and Excel
  • Certified in at least one of the following: CISA, CISM, CRISC, CISSP will be advantageous