ITCT Technology Control Testing Associate

  • Competitive
  • Glasgow, Scotland, United Kingdom Glasgow Scotland GB
  • Permanent, Full time
  • Morgan Stanley
  • 24 Jun 18 2018-06-24

See job description for details

Company Profile:

M o r g a n S ta n l e y i s a l e a d i ng g l o b a l f i n a n c i al s er v i c e s f i r m pro vi d i ng a w i de r a n g e of i n v e s t m e n t b a n k i n g, s e c uri t i e s , i n v e s t m e n t m a n a g e m e n t a n d w e a l t h m a n a g e m e n t s er vi c e s . T he F i r m 's e m p l o y e es s e r v e cl i e n ts w or ld w i de i n c l u d i n g c orporat i o n s , g o v ern m e n ts a n d i n di vi d u a l s f r o m m ore th a n 1 ,2 0 0 o ff i c es i n 4 3 co u ntr i e s .

A s a m a r k et l e a d e r , t h e ta l e n t a n d p a ss i o n of o u r p e o p l e i s cr i t i c a l to o u r s u cc e ss . T o g et h er, we s h a r e a c o m m on s et of v a l u e s r o o t ed i n i n te g ri t y , e xc e ll e n c e a n d s tr o ng t e am et hi c . M o r g a n S t a n l e y c an pr o v i de a s u p eri o r f o u n d a t i on f or b u i l d i ng a pro f e ss i o n a l c areer - a p l a c e f or p e o p l e t o l e arn, to a c h i e v e a n d gr o w . A p h i l o s o p h y t h at b a l a nc es p e rs o n a l li f e s t y l e s , p er s p e c t i v es a nd n e e d s i s an i m p o r ta n t p art of o u r c u l tur e .

Department Profile:

Technology & Information Risk's mandate is to enable the Firm to manage its technology related risks through implementing proactive, comprehensive and consistent risk management practices across the Firm to protect the franchise while capturing business opportunities. The TIR team partners with the business by ensuring that the Technology division understands how to manage escalate and monitor risk.

Team Profile:

The InfoSec & Technology Controls Testing Team is accountable for the execution of a number of programs relating to assessing design and testing effectiveness of key controls as well as testing compliance with Technology and Information Security Policies. These programs span across Technology and the remit of the Firm's Global Information Security Program Policy. In order to accomplish this, the Controls Testing team member will operate within the global framework, regulatory and industry best practice, while partnering with various stakeholders to ensure that objectives of the relevant programs are met.

Primary Responsibilities:

The roles responsibilities include:

- Delivering and operating the objectives of the global control testing program and managing control testing requirements

- Building strong positive relationships with the local Information Security / Risk community, within Technology and also the Firm, for example Internal Audit, Operational Risk Department, and Risk Officers

- Developing and delivering program specific communications to stakeholders on risk and control related matters e.g. technology and information security governance forums

- Presenting overview / results of testing program to stakeholders, senior management and other relevant parties

- Coordinating stakeholders across Firm departments to scope relevant testing e.g. Policy Compliance Testing, request based control testing

- Planning, reviewing and/or supervising testing of controls and/or policy compliance executed by ITCT team, providing regular management reporting on progress to meet regional requirements

- Producing or reviewing work paper documentation to standards suitable for use by auditors

- Status, risk and issue reporting on program progress and deliverables

- Preparing documentation of identified risks and issues for reporting in centralized issue / risk tracking applications


Required Skills

- Working knowledge of key Technology and Information Security concepts e.g. data classification, protection,

policies, governance, privacy, security assessment tools

- Risk and Control Knowledge: Understanding of key concepts related to risk assessment, controls and testing

- Analytical Thinking: Engages in process-based thinking to effectively obtain, analyze and interpret information, identify root causes of problems, and draw the appropriate conclusions

- Communication: Clearly, completely and concisely communicates ideas and adapts style and content of communication appropriate for the audience

- Influence: Gains support and buy-in from others in order to motivate them to achieve business goals and objectives

- Technology: Working knowledge of technology applications and infrastructure (e.g., server, network, platform desktop environment) and ability to identify and validate risk and controls

- Builds and sustains relationships: Builds and maintains networks of relationships and effectively leverages them to achieve work-related objectives

- Organization: Exceptional organizational skills; a high degree of attention to detail and ability to manage multiple priorities

- Drive: Self-starter with an ability to be proactive

- Operational Risk Knowledge: Understanding of relevant local technology risk regulations and the associated application to a financial services business

- Senior Level of relevant risk experience from roles in any of the following:

- Regulatory (e.g., working as a financial services regulator or having experience dealing with regulators)

- Audit (internal or external)

- Risk Officer / Information Security Officer

- Technology Risk Governance

- Risk Assessment (e.g., RCSA)

- Control Testing (e.g., SOX)

- Information Security / IT Security (e.g., Entitlements Management, Segregation of Duties, Threat Management, Penetration Testing, Strategy)

- Technology / Information Security Policy / Procedures

- Process/Risk/Control Frameworks, e.g., COBIT

Desired Skills and Competencies

- Business/Product Knowledge: Familiarity and experience with financial services and the processes related to the marketing, selling and trading of securities, derivatives and/or commodities in the financial services industry is a strong plus, but is not required.

Qualifications Desired

Certifications: Attainment of the following certifications is a strong plus, but not required

- Certified in Governance for Enterprise IT (CGEIT)

- Certified Internal Auditor

- Certified Information Systems Auditor (CISA)

- Certified Information Security Manager (CISM)

- Certified Information Security Professional (CISP)

- Certified in Risk and Information Systems Control (CRISC)

- ISO 27001 Auditor