• Collaborate with the business teams to gather a full understanding of the data infrastructure, their location, and their usage.
• Assess the security risk level of the information using appropriate methodologies and tools.
• Assess business requirements against security concerns and articulate issues and potential risks to business stakeholders.
• Identify Information Security risks, advise on recommendation techniques, and support tracking of resolution activities.
• Create, disseminate, and update documentation with identified information security risks and controls.
• Provide support to the InfoSec department and stakeholders in the creation of reports that articulate information security trends and vulnerabilities.
• Assess threats and vulnerabilities regarding information assets and recommend appropriate information security controls and measures.
• Manage and maintain the Group Information Security Risk Register.
• Assist and coordinate third-party information security risk management.

Skills: Risk Assessment, Data Analysis, Threat Management, Security Compliance, Risk Register, Reporting Skills, Vendor Risk, Stakeholder Communication

• Identify security risks and issues and produce high-quality documentation to articulate and report them.
• Support and challenge the business in documenting and reporting their risks and controls via the Risk & Control Self Assessment.
• Support and challenge the Group’s first-line security, resilience, and technology teams on the management of risk.
• Develop relevant tools and methodologies to ensure identified controls.
• Perform analysis to identify, evaluate, and understand themes in data sets and provide reports to senior management.
• Contribute to idea generation, from suggesting improvements to established processes to creating new utilities.
• Provide consultative subject-matter expertise.
• Support the Technology and Resilience Risk Manager in delivering the Operational Risk Framework.
• Support additional Operational Risk management activities as deemed necessary from time to time.

Skills: Risk Identification, Control Assessment, Risk Management, Tool Development, Data Analysis, Process Improvement, Subject Expertise, Operational Risk

• Ensure compliance with the Securities and Exchange Commission and Information Technology Risk Management guidelines.
• Work with various departments to ensure adequate Business Continuity Planning (BCP) and Disaster Recovery (DR).
• Evaluate, perform proof-of-value/proof-of-concept, design, build, and implement enterprise-class cybersecurity systems.
• Proactively ensure the highest levels of systems and infrastructure availability.
• Identify and recommend improvement areas in the existing enterprise security architecture to address evolving cybersecurity threats.
• Align and balance business requirements with cybersecurity and IT requirements, based on the organization’s risk appetite.
• Manage cybersecurity projects with virtual teams and ensure successful implementation to meet organisational objectives.
• Facilitate new employee onboarding and offboarding with the purchase, recording, and management of fixed IT assets.
• Prepare monthly reports for the IT Committee.
• Prepare quarterly and annual BoD reports for IT performance.
• Monitor technology-related performance through the tools that have been set up and coordinate with the Group technology department to solve system-related issues.

Skills: Regulatory Compliance, BCP/DR Planning, Cybersecurity Implementation, Systems Availability, Security Architecture, Risk Alignment, Project Management, IT Reporting

• Update the Cybersecurity Framework based on evolving requirements and changes in security capabilities.
• Perform initial and periodic assessments of risk on information and technology assets.
• Support business stakeholders and IT in the development of risk response plans.
• Provide consultation on projects, initiatives, and related requests.
• Collaborate with IT in identifying, assessing, monitoring, and reporting on new and emerging threats and vulnerabilities.
• Support the onboarding of third parties and related services through the Vendor Management Program.
• Provide support for maintaining key information libraries (e.g., risk, controls, etc.) within the integrated risk management platform.
• Assist with the development, modification, implementation, and training of policies, procedures, and programs.
• Actively participate in and contribute to program and operational working groups.
• Implement key risk oversight functions in support of the information security assurance and continuous monitoring program.
• Maintain up-to-date knowledge of systems and technologies while acquiring knowledge of emerging technologies, risks, and threats.

Skills: Cybersecurity Framework, Risk Assessment, Risk Response, Threat Monitoring, Vendor Management, Policy Development, Risk Oversight, Emerging Technologies

• Engage Business System Owners to communicate and disseminate security best practices across all systems and projects.
• Define and ensure security measures are implemented across various environments, in line with regulatory demands and security best practices.
• Define, coordinate, and track associated remediation actions according to a mutually agreed plan.
• Contribute to the development of policy and control framework, specifically to information risk and information handling.
• Take ownership of the regional implementation of security good practices.
• Co-develop security awareness campaigns and training with global outreach associates and third parties, including business associates, e.g., those tasked with security-relevant assignments.
• Take the lead on security and technical projects.
• Develop and maintain IT Security policies and procedures.
• Maintain and enhance the IT Security Awareness initiative, including organization-wide and departmental training, articles, posters, and desktop exercises.
• Stay current on evolving information security risks, cybersecurity trends, mitigation tools, and changes to security regulations impacting financial institutions.

Skills: Security Communication, Security Implementation, Remediation Management, Policy Development, Regional Security, Awareness Training, Project Leadership, Regulatory Knowledge

• Serve as a member of the information security team within the GRC and Security Architecture group.
• Maintain documentation, prioritization, and tracking of items such as the risk register, identified vulnerabilities, exceptions, and major security improvements to the platform.
• Turn findings from vulnerability assessments, penetration testing, and other technical risk evaluations into prioritized, actionable remediation and mitigation tasks for impacted teams.
• Operate the cybersecurity training and awareness program for the organization.
• Perform recurring internal audits such as access reviews and firewall reviews.
• Recommend risk reduction steps to be implemented and maintained through policies, procedures, frameworks, and technical controls.
• Develop and maintain relationships with Engineering, IT, Legal, People, and Product teams.
• Regularly interact with business units to understand their plans, risk posture, and tolerance, and provide security and risk-focused support for their vision and obligations.
• Support organizational risk posture through the development of controls and processes used in test, quality assurance, and production environments from conception to completion.
• Collect key performance indicators and related operational metrics, and track SLAs to validate success and identify future areas of improvement.

Skills: Risk Tracking, Vulnerability Management, Remediation Planning, Security Training, Internal Auditing, Policy Development, Cross-Functional Collaboration, Metrics Analysis

• Perform IT/IS risk assessments on applications and other assets.
• Support the IS/IT Application Risk Assessment Program by coordinating and facilitating assessment activities with vendors, business owners, and subject matter experts.
• Improve and streamline the workflow process for risk assessments and issue management.
• Schedule, coordinate, and review security assessments of new and existing third-party service providers to ensure compliance with regulatory and audit obligations.
• Review controls such as SSAE 18, SOC 1, SOC 2, penetration testing, ISO 27001, and third-party attestation artifacts.
• Participate in vendor risk management, IT, application, and product team projects, and collaborate with third-party service providers to integrate, maintain, and enforce security requirements.
• Maintain the Risk and Control Self-Assessment framework within the department.
• Advise management on information system security and cybersecurity matters, including new or modified solutions and processes, best practices, and the evolving threat landscape.
• Prepare quarterly reports on information risk for discussion and approval in the information security steering board.
• Maintain a current understanding of relevant information security and technology regulations, industry trends, and organizational policies, ensuring practical application in daily activities.

Skills: Risk Assessment, Vendor Management, Process Improvement, Security Assessments, Control Review, RCSA Management, Cybersecurity Advisory, Regulatory Compliance

• Enforce and interpret security policies, procedures, and regulatory requirements by performing project, application, cloud, and vendor security risk assessments.
• Provide security consulting on complex issues involving combinations of platforms and computing environments, especially in areas of e-commerce, cloud-based solutions, and mobile technologies.
• Mitigate vulnerability and configuration deficiencies by conducting investigations of possible security exceptions.
• Perform assessments of vendor risk, develop mitigation plans, and partner with internal stakeholders to assign monitoring responsibility.
• Implement, update, maintain, document, and improve security programs.
• Maintain awareness of existing and proposed security standard-setting groups, state, federal, and international legislation, and regulations pertaining to information security, data privacy, and retail and pharmacy operations.
• Assess and/or implement appropriate security methods and control techniques such as password and access management, segregation of duties, logging and monitoring, data encryption, and data backup and recovery.
• Prepare status reports for management on security matters and develop security risk analysis scenarios and response procedures.
• Perform periodic assessments of information systems, people, and processes to identify security vulnerabilities and develop and execute remediation action plans.
• Assist customers in identifying security controls for the company's networks, application systems, encryption and key management, infrastructures, authentication, and authorization.
• Act as a liaison to the business and IT groups and assist them in the implementation of data privacy, compliance requirements, and information security technologies and application security.
• Lead projects and provide guidance and training to less experienced staff.

Skills: Policy Enforcement, Security Consulting, Vulnerability Mitigation, Vendor Risk, Security Programs, Regulatory Awareness, Access Control, Project Leadership

• Assist in the implementation of policies and procedures to adequately address and control the risk management of the company's assets, and maintain the Information Security Manual.
• Review and analyze existing information security measures, recommend changes, and assist in ensuring such measures are appropriately implemented, administered, monitored, and updated in response to business conditions.
• Perform Information Security third-party due diligence and ongoing assessments of vendors to assess risks and determine the effectiveness of controls.
• Investigate and report IS violations, third-party data breaches, and supply chain vulnerabilities.
• Conduct reviews and risk assessments to identify weaknesses or security exposures, assess impact, and recommend solutions to mitigate risks and exposures.
• Assist with annual compliance requirements, including PCI, SOX, GLBA, and privacy.
• Assist with issues and exception management processes and maintenance of the information risk register.
• Evaluate products and procedures to ensure compliance with security and privacy regulatory requirements.
• Perform research and analysis of emerging and disruptive Information Technology and Information Security trends and tendencies that may affect the Bank.
• Prepare status reports on security matters to develop security risk analysis scenarios and response procedures.
• Be aware of risk within the functional area, observe all policies, procedures, laws, regulations, and risk limits specific to the role, and raise and report known or suspected violations to the appropriate Company authority in a timely fashion.

Skills: Policy Implementation, Security Review, Vendor Due Diligence, Incident Investigation, Risk Assessment, Compliance Support, Risk Register, Emerging Threats

• Responsible for the development and implementation of Third Party Risk Governance practices along with other Information Security and Risk practices.
• Support Third Party Risk Management Oversight and collaborate with the Vendor Management Manager and business stakeholders.
• Perform third-party and vendor security and risk reviews.
• Assist with third-party incident response activities.
• Oversee Third Party Risk Reporting and track risk remediation efforts.
• Support the development of Information Governance practices.
• Contribute to security policies, standard procedures, and departmental process workflows to improve effectiveness and efficiency within the Security/Risk function.
• Maintain an inventory of exceptions to Information Security policies, standards, controls, and configuration requirements.
• Apply industry experience and knowledge to provide expertise and ensure the organization’s security governance framework complies with applicable regulations, including evolving data privacy requirements.
• Support monitoring and oversight activities.
• Assist in developing Key Metrics (KPIs and KRIs) and prepare reports for the Enterprise Risk and Information Security Officer and Senior Leadership, highlighting achievements, successes, challenges, and opportunities for improvement.
• Leverage IRM/GRC tools and other resources for automated, continuous monitoring of information security controls, assessments, and testing, as well as for developing reporting metrics, dashboards, and evidence artifacts to ensure sustainable compliance.
• Perform technology risk and control assessments, including account control reviews for systems, applications, infrastructure, and operational processes.

Skills: Third-Party Governance, Vendor Oversight, Incident Response, Risk Reporting, Information Governance, Policy Development, Security Compliance, Control Assessments

• Experience and knowledge of Information Security and resilience management at the C-level and analyst level.
• Proven Stakeholder Management and Engagement skills with the ability to balance business objectives with Information Security.
• Able to manage own workload without direct supervision to ensure deadlines are met.
• Information security relevant qualification (CISMP, CISM, CISSP, etc.).
• Work experience in one or more domains of compliance, operational risk, and data analysis.
• Hands-on experience in leading or supporting security incident investigations, coordinating response teams, and ensuring lessons learned feed back into resilience planning.
• Knowledge of securing cloud platforms (AWS, Azure, GCP) and awareness of risks in areas like AI, IoT, and DevSecOps practices.
• Experience in preparing for, supporting, and responding to internal/external audits, and ensuring alignment with regulatory frameworks such as GDPR, ISO 27001, or NIST.
• Strong strategic thinking skills and the ability to see the bigger picture, align security initiatives with long-term business goals, and anticipate future risks.
• Good at influencing and negotiation abilities, persuading diverse stakeholders, including non-technical executives, to support security and risk initiatives.
• Can stay calm and make sound decisions during high-stakes incidents or crises.

Qualifications: BS in Computer Engineering with 8 years of Experience

• Direct work experience in developing information security programs and assessing the effectiveness of such programs, preferably within a financial services organization.
• Working knowledge of security frameworks and general areas of Information Security.
• Understanding of a broad range of Security Frameworks and standards such as PCI, NIST, ISO 2700 series, etc.
• Knowledge of the SOX, Federal Financial Institutions Examination Council (FFIEC), and section 501(b) of the Gramm-Leach-Bliley Act.
• Knowledge of networking, operating systems, platforms, client/server, web applications, and general information security technologies.
• Strong interpersonal, verbal, and writing skills to effectively communicate with a diverse audience.
• In-depth analytical skills, including the ability to consolidate broad data sets from multiple sources, both internal and external, to identify patterns and/or risk factors.
• Able to build and maintain relationships across diverse technical and non-technical teams.
• Must be self-motivated with a strong willingness to learn in a hands-on learning environment.
• Critical thinker with the ability to research, develop, and communicate IT risks and controls.
• Ability to establish and maintain a high level of customer trust and confidence.
• Ability to bridge communications on complex needs and requirements between technical and business-oriented audiences.

Qualifications: BS in Cybersecurity with 6 years of Experience

• Information security experience, ideally having worked with a GRC platform like Archer, Onspring, or Diligent.
• Experience with Linux in an enterprise context.
• Experience working with AWS/Azure/GCP.
• Ability to effectively communicate business risk as it relates to information security.
• Proven familiarity with network and host configurations, application security, cloud security, third-party risk management, and role-based access.
• Familiarity with risk and threat frameworks, as well as the software development lifecycle (SDLC).
• Understanding of vulnerability and configuration management.
• Organized, with the ability to prioritize and complete tasks within defined SLAs.
• Strong written and oral communication skills across varying levels of the organization.
• Excellent judgment with the ability to make quick decisions when working in complex situations.
• High degree of integrity, trustworthiness, and confidence, representing the company with the highest level of professionalism.

Qualifications: BS in Information Technology with 4 years of Experience

• Experience in information security risk, information security audit, information security, or equivalent audit or risk management role.
• Working knowledge of information security and technology risk.
• Prior work experience in third-party/vendor management, bank operations, accounting, procurement, legal, internal audit risk, or risk-related roles.
• Understanding of and practical experience with information security risk assessment and information security audits.
• CISSP, CISA, CRISC, or other related certification/accreditation.
• Demonstrated business knowledge of banking-related products, services, and how their associated risks may impact both from a third-party perspective.
• General understanding of banking and financial services processes, and the related risks to securing and managing data.
• General understanding of security and privacy law or regulation, such as GLBA, HIPAA, and GDPR.
• Knowledge of standards and frameworks such as COSO, COBIT, ISO, NIST, and ITIL.
• Ability to use critical thinking skills and good judgment in evaluating situations and making decisions.
• Ability to independently execute non-complex tasks with limited guidance and complex tasks with manager oversight and guidance.
• Self-management, organizational, and planning skills by effectively balancing commitments and meet deadlines.
• Detail-oriented with strong written and oral communication skills, with the ability to present opinions clearly and concisely.

Qualifications: BS in Software Engineering with 5 years of Experience

• Advanced-level experience in MS Word, MS Excel, MS PowerPoint, etc.
• Experience in auditing/security assessments.
• Experience working with senior levels of management.
• Experience in examining the SSAE 16 Audit, SOC 2, PCI DSS, NY Cyber Security, and other security audit reports.
• Security expertise, including knowledge of different security risk assessment frameworks (NIST/Octave), standards (ISO27001/HITRUST/ITIL/Cobit), and acts (HIPAA/GLBA).
• Knowledge and understanding of different security products (web/email filtering, disk encryption, vulnerability testing, antivirus, DLP, firewall, etc.).
• Knowledge of technology/software development methodologies, application security, and OWASP Top 10 guidelines.
• Strong listening, communication, and presentation skills.
• Good follow-up skills and detail-oriented.
• Ability to document assessment work papers and prepare assessment reports.
• Ability to manage third-party assessment independently with minimal supervision.
• Possess CISA, CISSP, CPISI, and/or ISO 27001.
• Good project management skills.

Qualifications: BS in Computer Science with 8 years of Experience

• IT Risk Management/Audit industry certification (such as CISSP, CISA, CRISC, etc.).
• Information security experience, willing to consider other work experience, and the ability to meet requirements.
• Understanding of one or more of the following: NIST Cyber Security Framework, ISO 27001:2013, COBIT, Mitre Top 20 Critical Security Controls.
• Moderately proficient technical skills, including Microsoft Office suite of applications, real-time collaboration technologies (e.g., Cisco Jabber, WebEx Teams, etc.), and endpoint remote access technologies.
• Working knowledge within one or more of the following knowledge domains/technologies: Database and application security, IDS / IPS technologies, System/Access Administration, Firewall technologies, Network Architecture, Security Event Logging and Monitoring, Key Management/Tokenization, Database/Application/Network Layer Secure Protocols, Physical and Environmental Security, Secure Software/Code Development, Change Management, and Vulnerability Management.
• Comfortable working individually or as part of a cross-functional team.
• Proficient in written and oral communication skills.
• Good problem-solving skills and an ability to complete assigned work, including inferring implied tasks.
• Excellent time management and organizational skills.
• Able to meet deadlines and handle multiple priorities.
• Ability to adapt and thrive in a changing environment.

Qualifications: BS in Network Security with 3 years of Experience

• Experience in information security, especially in an information risk analysis role, risk management, and/or IT audit role.
• Experience with regulatory compliance and information security management frameworks (e.g., ISO 27000, COBIT, NIST 800, etc.).
• Knowledge of common cybersecurity frameworks and standards (e.g., NIST 800-171, ISO 27001/27002).
• Skill in conducting internal or external risk assessments and guiding the implementation, monitoring, and reporting of control processes, documentation, and compliance measures, and/or remediation items.
• Prior experience managing a security awareness program.
• Familiarity with UC information security policy (i.e., IS-3), program, and procedures.
• Ability to create and interpret technical diagrams (e.g., network diagrams, data flow diagrams).
• Project management experience with PMP.
• Experience with Governance, Risk & Compliance and/or Vendor Risk Management platforms.
• Possess CISSP, CISA, and/or CISM.
• Strong interpersonal skills sufficient to work effectively with both technical and non-technical personnel at various levels in the organization.
• Ability to follow department processes and procedures, including knowledge of other areas of IT, department processes, and procedures.
• Knowledge of common computer hardware, software, and network security issues.
• Proven prioritization capabilities, with an aptitude for breaking down work into manageable parts, effectively assessing the priority and time required to complete each part.

Qualifications: BS in Data Science with 7 years of Experience

• Working knowledge of information security methodologies, policies, standards, and procedures, more specifically, information security risk management.
• Working knowledge of Information Technology concepts, hardware (e.g., server, network, etc.), and core software (e.g., operating systems, databases).
• Experience in operational practices (e.g., identity management, change control, asset management, etc.) and related security capabilities (e.g., firewall, IDS/IPS, SIEM, DLP, etc.).
• Working knowledge of common productivity software applications (i.e., MS Outlook, Word, Excel, PowerPoint, etc.).
• Ability to communicate effectively, including facilitation and presentation to technical and non-technical audiences, including IT, Business Line Managers, and other stakeholders.
• Ability to manage and execute tasks/assignments on multiple projects, initiatives, and/or work streams simultaneously.
• Strong analytical skills with the ability to apply creative thinking and balanced approaches to solving complex business problems.
• Strong ability to translate objectives into work plans, products, and tasks and deliver quality results on time and within scope.
• Strong ability to maintain focus, complete objectives, and achieve results in a changing and evolving work environment.
• Strong ability to adapt to changing priorities and work assignments.
• Strong ability to work independently, under limited direction, in the completion of assigned work.

Qualifications: BS in Information Systems with 5 years of Experience

• Applied information security experience in a mid-market business or larger, or IT architecture, administration, or implementation experience where information security was a component of the job responsibility.
• Experience working in Governance, Risk, and Compliance programs.
• Hold one or more of the following certifications: CISSP, CSSLP, GIAC, GSEC, CRISC, CISA.
• Ability to work and influence within a matrix environment and build effective business partnerships at all levels.
• Can effectively assess processes, risks, and controls, identify emerging risks and issues, analyze large bodies of risk data, and communicate results concisely and comprehensively to multiple stakeholders across the organization.
• Knowledge of security and control frameworks, such as ISO 27001/27002, COBIT, ITIL, and HITRUST.
• Ability to function within a high-profile technical infrastructure environment and the ability to express and demonstrate this experience.
• Ability to develop, lead, and implement new initiatives appropriate to Information Security Governance, Risk, and Compliance.
• Ability to evaluate and test new techniques and technologies.
• Exceptional time management skills and excellent oral and written communication skills.
• Strong interpersonal skills and ability to cultivate relationships with all internal/external stakeholders, promoting diversity of perspectives, ideas, and cultures.

Qualifications: BS in Management Information Systems with 6 years of Experience

• Extensive knowledge of Cyber Security risk assessment methods, such as ISRAM, OCTAVE, etc.
• Strong knowledge of Information Security technologies, such as identity and access management, encryption, and multi-factor authentication.
• Understanding of power utilities, retail energy, and oil & gas industry trends and emerging threats.
• Ability to draw upon an external network to understand emerging cybersecurity threats and events.
• Knowledge of internal and/or external regulatory policies, standards, procedures, and controls (e.g., CPNI, NIST, ISO27xx) and other working Cyber frameworks such as Kill Chain, Mitre ATT&CK, VERIS, etc.
• Ability to drive technical consensus and facilitate agreements with challenging stakeholders
• Can understand business visions and strategy, and anticipate the associated risks from an Information Technology and Security perspective, and how to facilitate business objectives whilst quantifying and managing the Cyber Security risk exposure.
• Experience in a Cyber Security risk function would be ideal extensive experience within the 2nd or 3rd line.
• Experience performing Cyber Security risk assessments following an industry framework.
• Working knowledge of modelling of threat scenarios to identify Cyber Security threats arising from new or changing systems and applications.
• Experience facilitating workshops with senior stakeholders from diverse backgrounds to determine cybersecurity risks and assess their ratings.
• Work experience in OT/IoT and Cloud Cyber Security threats, controls, and risks.
• Experience producing communication material and reporting suitable for CxO-level and senior leadership.
• Experience producing effective reporting for the CxO level, and undertook briefings with technology and business leaders.

Qualifications: BS in Cybersecurity with 12 years of Experience