Security Control Testing

Job Description – Information Security Control Testing – New York based 

Primary Responsibilities

Based in New York, the role’s responsibilities include: 
– Delivering and operating the objectives of the global control testing program and managing control testing requirements 
– Building strong positive relationships with the local Information Security / Risk community, within Technology and also the Firm, for example Internal Audit, Operational Risk Department, Risk Officers, Business Unit Information Security Officers (BUISOs) 
– Developing and delivering program specific communications and education to stakeholders on risk and control related matters e.g. technology and information security governance forums 
– Presenting overview / results of testing program to stakeholders, senior management and other relevant parties 
– Coordinating stakeholders across Firm departments (e.g. Divisional Risk Officers and BUISOs) to scope relevant testing e.g. Policy Compliance Testing, request based control testing 
– Planning, performing and/or supervising testing of controls and/or policy compliance, providing regular management reporting on progress to meet regional requirements 
– Producing or reviewing work paper documentation to standards suitable for use by auditors 
– Status, risk and issue reporting on program progress and deliverables 
– Preparing documentation of identified risks and issues for reporting in centralized issue / risk tracking applications 
– Preparing summary reports for Management communication on results of control/compliance testing 
– Monitoring and reporting on status of identified issues impacting relevant programs 

Required Skills 
– Working knowledge of key Technology and Information Security concepts e.g. data classification, protection, 
policies, governance, privacy, security assessment tools 
– Risk and Control Knowledge: Understanding of key concepts related to risk assessment, controls and testing 
– Analytical Thinking: Engages in process-based thinking to effectively obtain, analyze and interpret information, identify root causes of problems, and draw the appropriate conclusions 
– Communication: Clearly, completely and concisely communicates ideas and adapts style and content of communication appropriate for the audience 
– Influence: Gains support and buy-in from others in order to motivate them to achieve business goals and objectives 
– Technology: Working knowledge of technology applications and infrastructure (e.g., server, network, platform desktop environment) and ability to identify and validate risk and controls 
– Builds and sustains relationships: Builds and maintains networks of relationships and effectively leverages them to achieve work-related objectives 
– Organization: Exceptional organizational skills; a high degree of attention to detail and ability to manage multiple priorities 
– Drive: Self-starter with an ability to be proactive 
– Operational Risk Knowledge: Understanding of relevant local technology risk regulations and the associated application to a financial services business 

Desired Skills and Competencies 
– Business/Product Knowledge: Familiarity and experience with financial services and the processes related to the marketing, selling and trading of securities, derivatives and/or commodities in the financial services industry is a strong plus, but is not required. 

Education, Background & Experience Required 
Education: Bachelor's degree 
A minimum of 10 years of relevant risk experience from roles in any of the following: 
– Regulatory (e.g., working as a financial services regulator or having experience dealing with regulators) 
– Audit (internal or external) 
– Risk Officer / Information Security Officer 
– Technology Risk Governance 
– Risk Assessment (e.g., RCSA) 
– Control Testing (e.g., SOX) 
– Information Security / IT Security (e.g., Entitlements Management, Segregation of Duties, Threat Management, Penetration Testing, Strategy) 
– Technology / Information Security Policy / Procedures 
– Process/Risk/Control Frameworks, e.g., COBIT 

Qualifications Desired 
Certifications: Attainment of the following certifications is a strong plus, but not required 
– Certified in Governance for Enterprise IT (CGEIT) 
– Certified Internal Auditor 
– Certified Information Systems Auditor (CISA) 
– Certified Information Security Manager (CISM) 
– Certified Information Security Professional (CISP) 
– Certified in Risk and Information Systems Control (CRISC) 
– ISO 27001 Auditor 

Apply Now