Replacement for Information Security and Risk & Control Officer for Hong Kong.
The primary role of the Information Security (IS) and Risk & Control Manager is to execute control and risk management programs for Citi Technology Infrastructure Hong Kong, including the following :
Risk and Control Officer Roles
Manage internal, external, regulatory and other audits end-to-end, act as audit liaison, interface as required and providing proper perspective on risks & issues.
Independently assess the effectiveness of controls, determine the impact of control issues, identify corrective action, and track issues to closure.
Collaborates to create Risk Acceptances (RAs), Risk Exceptions (REs), and Corrective Action Plans (CAPs) in the appropriate tools (iCAPs, CIRAS, etc.).
Planning, leading, and executing strategic / tactical initiatives on controls and risk management
Provide consultation on controls and risk management.
Oversee execution of compliance program activities including Manager's Control Assessment (MCA), Issue Management, Insurance Questionnaire, Audit Business Monitoring and Records Management.
Developing and delivering reports and metrics for management
Coordinate periodic reporting; analyze self-assessment, Governance oversight and audit results; and formulate remedial solutions
Work with management to instill a proactive risk management approach and its awareness
Maintain, distribute and conduct training on overall risk management process and / or procedural changes
Ensure compliance to Citigroup Information Technology Management Polices (CITMP) and Standards
Business Information Security Officer (BISO)
Communicates and interacts regularly with employees and business management on IS related programs, policies, and standards Integrates Business and Regional TISO / GISO priorities into day-to-day business
Accountable for all IS activities that are relevant to the Business they support
Provides general IS consulting services including interpretation and / or clarification
The BISOs primary area of focus is the IS Risk Management for the Business they support and its processes
Helps security incident response teams resolve and close the investigation of incidents with proactive suggestions
Assists in the definition and implementation of IS standards at the business level to ensure that procedures and practices comply with Citi standards
Enforces compliance; demonstrates extensive understanding of IS standards and best practices across multiple disciplines
Reviews status of business IS program and oversees corrective action when necessary
Develops corrective action language for all IS-related gaps and approves all closures by reviewing evidence to ensure the closure meets Citi requirements or industry best practices
Engages a TISO, SME or another senior ISO where additional technical knowledge is required
Ensures IS awareness materials are distributed per CISS requirements. Monitors / tracks IS training per CISS requirements
Ensures IS Risk Assessment is performed according to Citi standards by partnering with the businesses throughout the ISRA process and determines the impact of control deficiencies
Educates and advises the business on safe IS practices and current, changing, and / or recommended IS requirements
Plans and executes the IS strategy Provides periodic IS risk management reports highlighting key issues and corrective action plans
Reports to a business manager with a matrix line to a GISO or reports directly to a GISO
Bachelor's degree in a related field; or equivalent work experience
5-8 years experience in any one area or combined areas of control, risk management, compliance, audit and IT / business project management
Note : A non-graduate with strong experience and relevant job exposure to information security, audit or risk management functions are welcome to apply.
Experience in Risk Management, Program / Project Management, Continuity of Business or Control & Compliance, Application Security risk assessment
Able to work under pressure, meet tight deadlines and crisis management with non-office hour support
Exposure / familiarization of various regulations governing IT from the Hong Kong Monetary Authority (HKMA) is definitely beneficial
Strong understanding of technology infrastructure and information security products
Good understanding of the Information control areas including authentication, authorization, access control, auditing, cryptography for applications
Broad knowledge of the interactions of Business and Technology organization; ability to manage expectations and maintain key relationships with the business, other Technology groups and vendors;
strategic and critical thinking skills
Excellent verbal and written communication skills; solid influencing, facilitation and partnering skills, vender management skills
Able to work with people from different levels independently with minimal supervision
Proficient in MS Office products, particularly PowerPoint and Excel
Certified in at least one of the following : CISA, CISM, CRISC, CISSP will be advantageous
APAC-HKG-Hong Kong-Hong Kong