Request ID: 28862-1
POSITION: Information Security Risk Specialist
RESPONSIBILITIES INCLUDE (but are not limited to):
This role is to help with the second line of defense.
• They will be working with BISO, TISO and help with risk measures.
• They will be providing oversight and make sure the proper protocols are in place.
• They will have oversight and a governance role to help the business to further access their gaps & technology risks • This group is strictly a group that helps the business assess the risk. They will not be fixing those issues.
• They may have to work with the business to access those team.
• They may have to escalate those risk to the proper individually.
Second Line of Defence Risk Management
• Ensure cyber security risks are identified, evaluated, communicated and subsequently managed for the entire life of the risk. Use appropriate tools and processes (e.g. GRC) to track issues and risks.
• Escalate potential cyber risk issues to management leveraging Operational Risk functions and reporting. Provide challenge, oversite and currency on resolution plans or risk acceptances.
• Participate in Risk Control Self Assessments (“RCSA”):
As the cyber subject matter risk expert, participate in quarterly and annual roundtables or refresh activities with the banks Operational Risk Officers and business leaders across the enterprise to provide guidance and advice to assist the business areas with evaluating and understanding Cyber or Information Security Risk.
• Effectively challenging the technology and business unit’s first line of defense assessment, risk acceptances, exceptions, issues and remediation plans in support of the risk control practices.
• Participate in the Initiative Assessment and Approval Process (IAAP) As the cyber subject matter risk expert, provide an independent risk determination, rating and conditions for approving new initiatives • Provide oversight on compliance to standards consistent with Information Security policies and guidelines, and in synergy with the T&O control frameworks, • Review and provide recommendations to cyber related policies, and 1st line standards and guidelines.
Consulting and Communication
• Establish and manage working relationships with other Corporate Support Areas, Enterprise Operational Risk Management, Operational Risk Officers, Information Security Officers and the broader Information Security community to ensure Information Risks are accurately reflected and clearly understood.
Training and Awareness
• Provides input to communications and trainings, to promote effective Information Security (IS) risk management behaviours and embed Information Risk controls and practices within the organization, leveraging and reinforcing existing awareness programs.
• Providing risk driven input to new Awareness campaigns and targeted training programs.
• Assist local organizations in developing and implementing their own unit or role specific Information Security training and awareness programs as appropriate.
To deliver on these accountabilities, the incumbent must have the following authorities.
• Recommending – input to frameworks and processes as necessary to report IS risk • Advising – provide insights on enterprise IS Risks • Monitoring – of practices, processes, mitigation to ensure compliance with requirements • Monitoring – results of IS Risk programs to assess their effectiveness • Escalating – IS Risk issues, exposures • Coordinating – information required to create reports and metrics for the key risk indicators • Providing – an independent opinion on IS Risk within RCSAs and IAAPs
TOP SKILLS / EXPERIENCE:
• 7-10+ years of experience in Information security and information risk experience. In depth knowledge of this. Work with projects and assess risk. This person can be an information security generalist. This includes, firewalls, networks, infrastructure as well as, •The information background is essential but having to applied that knowledge as an adviser is a prudent. For example, compliance frameworks, audits and working with regulators are all areas that they should be able to discuss on. They will have to work alongside the business and help guide the business • They need people that can talk to business people, understand their project, and ask enough questions to determine what the information security risk is to this person’s project.
• Working experience of risk assessments – This is fundamental, and they really need someone with this experience.
• Working experience in IS compliance – Need someone who does compliance and assessment and looks at the business side or risk.
• FI Experience – this is highly preferred • This manager would love someone who is looking to grow and develop as this role would turn permanent. If the person is junior for this role, it may work for this role (Junior being 5+ years of experience).
NICE TO HAVE SKILLS/EXPERIENCE:
• Working knowledge of Operating Group businesses an asset – Asset because they have to be able to speak to the business. If they know something about the business it will help them.
• Understand how controls and how to have alternative
• University degree