Technology Control Testing Lead
Jose MercilineTeam Profile
The InfoSec, Technology & Cybersecurity Testing Team (ITCT) is a 1LOD Testing and Assessment function focused on assessing design suitability and testing operating effectiveness of key controls as well as compliance with Technology, Information Security, and Cybersecurity Policies. This program operates within the global framework, regulatory and industry best practice, while partnering with various stakeholders to ensure that objectives of the relevant programs are met. As a results of the recent acquisition of E*TRADE by our company, ITCT is expanding testing coverage to include E*TRADEβs controls, processes, procedures, and technology assets.
Primary Responsibilities
The roleβs responsibilities include:
- Using Risk and Control Framework (RCF), identify the corresponding controls in place at E*TRADE
- Plan, oversee, and review the execution of detailed inspection/sample-based testing of compliance to RCF controls
- Provide regular management reporting on progress
- Build strong positive relationships with the E*TRADE Information Security / Risk community, Internal Audit, Operational Risk Department, and Risk Officers.
- Deliver program specific communications to stakeholders on risk and control related matters e.g. technology and information security governance forums
- Present results to stakeholders, senior management and other relevant parties
- Prepare documentation of identified risks and issues for reporting in centralized issue / risk tracking applications
Experience
- Working knowledge of key Technology and Information Security concepts e.g. data classification, protection,
- policies, governance, privacy, security assessment tools
- Understanding of key concepts related to risk assessment, controls and testing
- Engages in process-based thinking to effectively obtain, analyze and interpret information, identify root causes of problems, and draw the appropriate conclusions
- Working knowledge of technology applications and infrastructure (e.g., server, network, platform desktop environment) and ability to identify and validate risk and controls
- Understanding of relevant local technology risk regulations and the associated application to a financial services business
Desired Skills and Competencies
- Excellent written and verbal communication skills.
- Good organizational skills; a high degree of attention to detail and ability to manage multiple priorities
- Business/Product Knowledge: Familiarity and experience with electronic trading platforms is a strong plus, but is not required
Education, Background & Experience Required
Education: Bachelor's degree
A minimum of 5 years of relevant risk experience from roles in any of the following:
- Audit (internal or external)
- Risk Officer / Information Security Officer
- Technology Risk Governance
- Risk Assessment (e.g., RCSA)
- Control Testing (e.g., SOX)
- Information Security / IT Security (e.g., Entitlements Management, Segregation of Duties, Threat Management, Penetration Testing, Strategy)
- Regulatory (e.g., working as a financial services regulator or having experience dealing with regulators)
- Technology / Information Security Policy / Procedures
- Process/Risk/Control Frameworks, e.g., COBIT
Qualifications Desired
Certifications: Attainment of the following certifications is a strong plus, but not required
- Certified Information Systems Auditor (CISA)
- Certified in Governance for Enterprise IT (CGEIT)
- Certified Internal Auditor
- Certified Information Security Manager (CISM)
- Certified Information Security Professional (CISP)
- Certified in Risk and Information Systems Control (CRISC)
- ISO 27001 Auditor