- New York, NY, USA
- Permanent, Full time
Assistant Vice President - IT Risk and Controls
Location: New York, NY, USA
Moody's IT Risk Management is looking for an Assistant Vice President who will be aligned to the IT Risk function and manage the IT Controls Program. This is a position requiring a strong background in IT Controls practices and solid communication and organization skills.
The ideal candidate is very motivated and willing to take on challenges, able to multi-task to succeed and has the ability work independently and with minimal oversight. The candidate has a deep understanding of the IT Control landscape and is able to articulate complex information through reports, dashboards and presentations that tell a story.
The Moody's IT Risk Management team is globally responsible for helping the organization balance risk by aligning policies and procedures with Moody's business and regulatory requirements. The team is responsible for the development, enforcement and monitoring of security controls, policies and procedures, disaster recovery programs, GRC (Governance, Risk and Compliance) reporting and the delivery of security services including the company's Cyber Security program. The IT Risk Management team sets strategic direction for IT risk and security and aligns with stakeholders throughout the organization.
Functional responsibilities include:
• Ensure that controls are sufficiently designed, documented, and evidenced to satisfy risk, audit and regulatory objectives:
• Build security control and risk scorecards, metrics, and reporting capabilities in GRC to support assessment of security compliance and risk posture.
• Direct cross-organization/ business unit Controls Working Group and operational teams to address security controls and compliance, coordinate exception evaluations, and track risk remediation activities, temporary exceptions, and control status and ownership.
• Advocate, coach and highlight the impact of IT policies, standards, procedures and initiatives to promote, support and enhance security controls and negotiate resolutions of issues which arise during deployment and implementation of IT Controls and related practices.
• Enable continuous technology compliance by maintaining up to date controls, coordinating controls testing and monitoring, identifying and escalating control non-compliance.
• Serve on a team which is Moody's IT (MIT) central point of contact for internal and external audit and regulatory activities:
• Assist in organizing and preparing MIT responses to regulatory and audit requests including drafting of talking points and presentations on topics such as control design/execution and strategic risk mitigation programs.
• Regularly liaise with Moody's Compliance, Audit and Legal functions to proactively monitor pending and proposed legislation and upcoming reviews in order to adequately prepare for and adapt to new or heightened expectations.
• Schedule, coordinate and lead self-assessments and tabletop exercises within MIT to help prepare teams for anticipating questions and requests related to upcoming audits.
• Track remediation on reported audit and regulatory observations to ensure timely and comprehensive resolution; on a regular basis, issue reports to IT leadership as to current state.
• Formalize ongoing processes to support risk management and audit/ compliance activities, identifying opportunities to integrate these into our technology enablement approach.
• Minimum education and work experience required for this position include:
• Minimum 5+ years of experience in IT Risk Management, Information Security and/or IT Audit, preferably within the financial services industry or a consulting organization.
• BS or BA degree, preferably in technology, business or equivalent.
• Relevant certifications, such as CISSP, CRISC, CISA, CISM, are a plus.
• Control program execution and reporting management through a Governance Risk and Compliance solution.
• Experience working with US federal/state and international regulators on IT control management and remediation (SEC, ESMA, JFSA….)
• Strong knowledge of laws, regulations and standards that govern Information Security practices such as SANS CSC, NIST CSF, FFIEC, SOX, PCI, HIPAA and state and federal privacy laws.
• Experience managing an ISO-27002 or NIST aligned security program.
• Experience programmatically assessing and managing security risks associated with vendors, confidential and personal data, critical IT assets, technology projects, and business initiatives.
• Demonstrated leadership in GRC tool selection, deployment and management and in GRC workflow definition and automation.
• Experience coordinating across business units, audit, compliance and legal teams to provide outside entities with technology evidence, documented exceptions, mitigating controls, and/or remediation activities underway to verify technology compliance.
• Demonstrated ability to handle multiple tasks with shifting deadlines and priorities under limited supervision.
• Strong written and oral communication skills including the ability to interact directly with customers that do not have an IT background.
• Strong presentation skills involving large and of varying IT background audiences; ability to adjust message and filter details based on audience.
• Demonstrated ability to interact effectively, internally and externally.
Moody's is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, sex, gender, age, religion, national origin, citizen status, marital status, physical or mental disability, military or veteran status, sexual orientation, gender identity, gender expression, genetic information, or any other characteristic protected by law. Moody's also provides reasonable accommodation to qualified individuals with disabilities in accordance with applicable laws. If you need to inquire about a reasonable accommodation, or need assistance with completing the application process, please email firstname.lastname@example.org.. This contact information is for accommodation requests only, and cannot be used to inquire about the status of applications.
For San Francisco positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the San Francisco Fair Chance Ordinance. For New York City positions, qualified applicants with criminal histories will be considered for employment consistent with the requirements of the New York City Fair Chance Act. For all other applicants, qualified applicants with criminal histories will be considered for employment consistent with the requirements of applicable law.
Click here to view our full EEO policy statement. Click here for more information on your EEO rights under the law.
Candidates for Moody's Corporation may be asked to disclose securities holdings pursuant to Moody's Policy for Securities Trading and the requirements of the position. Employment is contingent upon compliance with the Policy, including remediation of positions in those holdings as necessary.