Mgr., Information Security & Tech. Risk Management

Purpose of the Role:
The Manager, Information Security & Technology Risk Management provides IT risk management services to business as usual (BAU) and project teams based on the FirstCaribbean Technology risk management processes and procedures. The incumbent participates in security reviews, walkthroughs, and risk assessments; and assists with the management of third party contracts and agreements to ensure that FirstCaribbean’s information assets are effectively and efficiently protected. The incumbent will work collaboratively with Technology teams and third parties to ensure efficient and effective delivery of information security risk management within FirstCaribbean. As assigned by the Senior Manager, the incumbent will actively contribute to the proactive identification, assessment, mitigation and communication of the Bank’s information security / cybersecurity risks, specifically the effective implementation of the risk management processes, including the periodic risk assessment of information assets. The incumbent will work collaboratively with the T&O Governance, Control & Compliance team to address identified IT control weakness, and maintaining risks at acceptable levels.


Key Accountabilities:

  • In consultation with the senior manager, develops a risk based schedule for business as usual (BAU) baseline risk assessments; collaborating with respective technology and business owners to mitigate any significant issues identified.
  • As requested by senior manager, reviews all contract and third party arrangements to ensure that FirstCaribbean information security policies are adhered to and that sufficient security protection will be afforded to FirstCaribbean information assets.  Escalates concerns / non adherence to senior manager as appropriate.
  • Assists the senior manager with the management of the information security benchmarking and attestation exercises, e.g. completing information security scorecards, undertaking SWIFT attestations to ensure that FirstCaribbean’s information assets are managed in accordance with established polices, standards and regulations; reviews and evaluates systems’ architectures, technical documentation, industry frameworks and standards etc.
  • Assesses applications, infrastructure, business units, business processes and external suppliers for information security risks, identifies the potential threats and exposures and recommends mitigating actions.
  • Conducts security risk assessments of planned initiatives across the organization and produces high quality threat risk assessment reports that clearly articulate the risks identified, along with recommendations on mitigation strategies, as required by the Operational Risk Management framework, the regulators and good practice.
  • Submits mitigating strategies to senior management for appropriate actions and follow-up.
  • Examines and interprets business requirements documents, architecture diagrams, solution designs and other written and verbal information to determine if a project, application, infrastructure or external supplier presents an information security risk to FirstCaribbean. Recommends appropriate mitigating actions and submits mitigating strategies to senior management for appropriate actions and follow-up.
  • Weighs business needs against security concerns and provides risk-based recommendations to enhance information systems security, which are practical and achievable, thereby allowing the project / business sponsor(s) to make informed risk decisions; provides recommendations to enhance the Bank’s information security landscape.
  • Works with third party suppliers / teams and internal development groups to interpret and review results from penetration tests on internet facing applications as needed, recommends mitigating actions for identified control weaknesses. Submits mitigating strategies to senior management for appropriate actions and follow-up.
  • Tracks through to resolution / completion, issues raised during the risk management reviews (TRA / ISA / PEN test / CIRA, code scans / PIRT, etc.). Ensures, as necessary, the logging of identified issues as deficiencies, if mitigation will not be possible prior to project implementation and the associated risk is within the Bank’s risk appetite.
  • Works with respective Technology teams to ensure all vulnerabilities identified are mitigated or risk accepted in accordance with Operational Risk Management policies.
  • Generates key performance indicators (KPIs) and key risk indicators (KRIs) and identifies trends for information security risk and drives visibility and transparency of business value for completed work. Collects, collates and analyses data related to risk management activities completed by the unit.
  • Keeps abreast of financial industry regulations related to Technology risks and information security / cyber risks across the region. Completes gap analysis of current policies, standards and provides recommendations to respective business leaders to ensure that the Bank remains in compliance.
  • Provides first line subject matter expert advice to business units on information / cyber security risk management standards, policies and processes.
  • Participates in the audit and compliance reviews and works with the stakeholders to close audit and compliance deficiencies related to information security / cybersecurity risks. Assists and works with the auditors (internal, external) and regulators, acting as a liaison during their reviews; providing requested artefacts and support.



Critical Knowledge & Skills Required:

  • Information security technologies – excellent and current knowledge of technologies and technology-based solutions dealing with information security issues.
  • Good understanding of current and emerging technologies and their security implications, e.g. Cloud, Agile and Dev Ops.
  • Information security risk management – knowledge of processes, tools, techniques and practices for assuring adherence to standards associated with accessing, altering and protecting organisational data.
  • Decision-making and critical thinking – good knowledge of tools and techniques for effective use of a broad range of factors, assumptions, frameworks and perspectives when solving problems.
  • Direct experience conducting information security risk assessments.
  • Strong understanding of IT security best practices.
  • Demonstrated ability to stay abreast securing evolving technology such as cloud and mobile computing.
  • Knowledge of NIST, Centre for Internet Security (CIS) and IT controls.
  • Good analytical skills.
  • Influencing skills.
  • Able to understand and analyse technology, and risk management principles.
  • Effective written and verbal communication skills:
  1. able to conduct presentations and facilitate group meetings
  2. effectively communicate with technical and non-technical resources
  3. communicate complex and technical issues to diverse audiences
  4. ability to tailor communication style to audience at hand
  • Good organisational skills and good time management.
  • People management skills.
  • Ability to perform independent analysis of problems and distil relevant findings and root causes.
  • A team-focused mentality with the proven ability to work effectively with diverse stakeholders.
  • Understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business.
  • Ability to compile and analyse data for management reporting and metrics.
  • Understanding of organisational mission, values, and goals and consistent application of this knowledge.
  • Ability to react to high pressure dynamic changing environments while maintaining a professional image and approach.



Experience Required:

  • Undergraduate or post graduate degree in Computer Science, Information Security, or a related field and one or more of the following or related professional certifications:
  1. Certified in Risk and Information Systems Control (CRISC)
  2. Certification in Risk Management Assurance (CRMA)
  3. Certified Information Systems Auditor (CISA)
  4. Certified Information Systems Security Professional (CISSP)
  5. Certified Information Security Manager (CISM)
  • At least three years’ experience in information security, with at least one years in IT Risk Management.
  • At least three years’ experience in another IT function, especially IT Audit.
  • At least two years’ experience with regulatory compliance and information security management frameworks, e.g., IS027000, COBIT, National Institute of Science and Technology (NIST )etc.
  • Practical experience with cloud and application security.

Or

  • At least five years’ experience in Information Security or IT Audit and one or more of the following or related professional certifications:
  1. Certified in Risk and Information Systems Control (CRISC)
  2. Certification in Risk Management Assurance (CRMA)
  3. Certified Information Systems Security Professional (CISSP)
  4. Certified Information Security Manager (CISM)
  5. Certified Information Systems Auditor (CISA)
  • Knowledge of or experience with regulatory compliance and information security management frameworks, e.g., IS027000, COBIT, NIST etc., are desirable.
  • Practical experience with cloud and application security.


Position reports to: Senior Manager, Information Security & Technology Risk Management  

Function: Technology

 

Expiry Date: 29 okt 2020

Reference
VAC-4216
Employer
CIBC FirstCaribbean International Bank
Hours
Employment Type
Salary and benefits
In accordance with appropriate salary schedule.
Salary
Salary negotiable
Your Career Level
Mid Career
Years Experience
Minimum of Eight (8) years'
Your Education Level
Undergraduate Degree|in Computer Studies
View Employer
Apply
Log In and Apply
Upload your CV/Resume
Additional Personal Details
Other details about you

Terms of Use/Notifications

Do you agree to our Terms of Use & Privacy Statement?

Receive updates & notifications from Caribbean Opus

Apply

Currency

The 10 islands have different currencies. We will be using USD as the general currency on the website.