Information Security Continuity of Business and Controls Manager
Citigroup Inc
Hong Kong


Replacement for Information Security and Risk & Control Officer for Hong Kong.

The primary role of the Information Security (IS) and Risk & Control Manager is to execute control and risk management programs for Citi Technology Infrastructure Hong Kong, including the following :

Risk and Control Officer Roles

  • Manage internal, external, regulatory and other audits end-to-end, act as audit liaison, interface as required and providing proper perspective on risks & issues.
  • Independently assess the effectiveness of controls, determine the impact of control issues, identify corrective action, and track issues to closure.
  • Collaborates to create Risk Acceptances (RAs), Risk Exceptions (REs), and Corrective Action Plans (CAPs) in the appropriate tools (iCAPs, CIRAS, etc.).

  • Planning, leading, and executing strategic / tactical initiatives on controls and risk management
  • Provide consultation on controls and risk management.
  • Oversee execution of compliance program activities including Manager's Control Assessment (MCA), Issue Management, Insurance Questionnaire, Audit Business Monitoring and Records Management.
  • Developing and delivering reports and metrics for management
  • Coordinate periodic reporting; analyze self-assessment, Governance oversight and audit results; and formulate remedial solutions
  • Work with management to instill a proactive risk management approach and its awareness
  • Maintain, distribute and conduct training on overall risk management process and / or procedural changes
  • Ensure compliance to Citigroup Information Technology Management Polices (CITMP) and Standards
  • Business Information Security Officer (BISO)

  • Communicates and interacts regularly with employees and business management on IS related programs, policies, and standards Integrates Business and Regional TISO / GISO priorities into day-to-day business
  • Accountable for all IS activities that are relevant to the Business they support
  • Provides general IS consulting services including interpretation and / or clarification
  • The BISOs primary area of focus is the IS Risk Management for the Business they support and its processes
  • Helps security incident response teams resolve and close the investigation of incidents with proactive suggestions
  • Assists in the definition and implementation of IS standards at the business level to ensure that procedures and practices comply with Citi standards
  • Enforces compliance; demonstrates extensive understanding of IS standards and best practices across multiple disciplines
  • Reviews status of business IS program and oversees corrective action when necessary
  • Develops corrective action language for all IS-related gaps and approves all closures by reviewing evidence to ensure the closure meets Citi requirements or industry best practices
  • Engages a TISO, SME or another senior ISO where additional technical knowledge is required
  • Ensures IS awareness materials are distributed per CISS requirements. Monitors / tracks IS training per CISS requirements
  • Ensures IS Risk Assessment is performed according to Citi standards by partnering with the businesses throughout the ISRA process and determines the impact of control deficiencies
  • Educates and advises the business on safe IS practices and current, changing, and / or recommended IS requirements
  • Plans and executes the IS strategy Provides periodic IS risk management reports highlighting key issues and corrective action plans
  • Reports to a business manager with a matrix line to a GISO or reports directly to a GISO
  • Qualifications

  • Bachelor's degree in a related field; or equivalent work experience
  • 5-8 years experience in any one area or combined areas of control, risk management, compliance, audit and IT / business project management
  • Note : A non-graduate with strong experience and relevant job exposure to information security, audit or risk management functions are welcome to apply.
  • Experience in Risk Management, Program / Project Management, Continuity of Business or Control & Compliance, Application Security risk assessment
  • Able to work under pressure, meet tight deadlines and crisis management with non-office hour support
  • Exposure / familiarization of various regulations governing IT from the Hong Kong Monetary Authority (HKMA) is definitely beneficial
  • Strong understanding of technology infrastructure and information security products
  • Good understanding of the Information control areas including authentication, authorization, access control, auditing, cryptography for applications
  • Broad knowledge of the interactions of Business and Technology organization; ability to manage expectations and maintain key relationships with the business, other Technology groups and vendors;
  • strategic and critical thinking skills

  • Excellent verbal and written communication skills; solid influencing, facilitation and partnering skills, vender management skills
  • Able to work with people from different levels independently with minimal supervision
  • Proficient in MS Office products, particularly PowerPoint and Excel
  • Certified in at least one of the following : CISA, CISM, CRISC, CISSP will be advantageous
  • Primary Location

    APAC-HKG-Hong Kong-Hong Kong


    通過點擊“繼續”,我允許neuvo同意處理我的數據並向我發送電子郵件提醒,詳見neuvo的 隱私政策 。我可以隨時撤回我的同意或退訂。