What employers are looking for in an IT Security & Risk Specialist?

Lancez-Vous. C'est gratuit
ou s'inscrire avec votre adresse e-mail
What employers are looking for in an IT Security & Risk Specialist? par Mind Map: What employers are looking for in an IT Security & Risk Specialist?

1. Summary

1.1. What are the sources here?

1.1.1. Public job descriptions for IT Risk and Security positions

1.1.2. Over the period 2010 - 2012

1.1.3. From Europe and Australia

1.2. Qualifications

1.2.1. Education

1.2.1.1. undergrad

1.2.1.1.1. A Bachelors or Masters degree in business, accounting, finance, computer science, information systems, engineering and/or other related major

1.2.1.2. postgrad

1.2.1.2.1. Post graduate degree in a related field (MBA preferred)

1.2.1.2.2. Masters degree in financial engineering or other relevant education (HEC with mathematics specialization, physics, statistics, etc)

1.2.1.3. areas

1.2.1.3.1. degree in business, accounting, finance, computer science, information systems, engineering and/or other related major

1.2.2. Certification

1.2.2.1. CISSP, CISA, CISM, or CGEIT

1.2.2.2. CISM, CISA, CRISC, or CISSP

1.2.2.3. Security

1.2.2.3.1. ISO 27000 / 17799

1.2.2.3.2. PCI DSS

1.2.2.3.3. AS 4360

1.2.3. Demonstrated understanding of IT security and risk related legislation, regulations and standards

1.2.4. Government

1.2.4.1. Protective Security Manual, Information Security Manual (ACSI 33)

1.3. Personality

1.3.1. Summary

1.3.1.1. Integrity

1.3.1.2. Conscientiousness, rigour, and ''critical eye''

1.3.1.3. Flexibility, resistence to pressure

1.3.1.4. Big picture

1.3.1.4.1. can step back and understand the context of problems before applying analytical skills to address the issues

1.3.1.5. Continuous learner

1.3.1.5.1. Maintain an educational program to continually develop personal skills

1.4. Personal Skills and Working Style

1.4.1. Analytical

1.4.1.1. Excellent mathematics and algorithmic knowledge with a strong ability to understand and analyse quantitative results and statistics

1.4.1.2. Ability to manage and analyze data

1.4.1.3. Strong problem solving

1.4.1.4. Able to make both detailed and rapid analysis where required with equal effectiveness

1.4.1.5. Be able to analyze and assess the real risks associated with IT Infrastructure and application security within the firm

1.4.1.6. Identify and evaluate the effectiveness of controls designed to address those risks identified

1.4.1.7. Provide practical, innovative, and value-adding solutions to issues identified

1.4.1.8. Monitor and review results, trend data, changes in risk profile and developments in specific business areas to facilitate ongoing planning and the changing risk posture

1.4.1.9. Assist with pre-implementation reviews, examining business risk and project risk

1.4.1.10. Identify controls and weaknesses, and provide agreeable recommendations to improve the quality and effectiveness of the control environment.

1.4.2. Relationship Management

1.4.2.1. Client relationship management experience and skills

1.4.2.2. Ability to galvanize support of others where possible

1.4.2.3. Strong teambuilding skills including promoting cooperation and good working relationships among team members, remaining positive and supportive during change, and building rapport and trust with IT Risk stakeholders and other partners.

1.4.2.4. strong relationship management skills

1.4.2.5. Strong interpersonal and oral/written communication skills, able to build relationships with at all levels.

1.4.2.6. Strong interpersonal and influencing skills

1.4.2.6.1. Strong interpersonal alliances at all levels both within and outside the firm

1.4.3. Technical

1.4.3.1. General IT technical background

1.4.3.1.1. Operating Systems (e.g. Windows XP, Unix)

1.4.3.1.2. Infrastructure (e.g. Protocols, Cisco)

1.4.3.1.3. Security Components (e.g. Firewalls, IDS, IPS)

1.4.3.2. IT Risk and Security

1.4.3.2.1. IT Risk/Security/Control Industry standards (e.g. ISO 17799, CobiT, COSO, CMMI, ITIL)

1.4.3.2.2. IT Risk Assessments methodologies

1.4.3.2.3. Skill in designing, testing and quality assuring IT controls

1.4.3.2.4. Generic statements to address

1.4.3.3. List

1.4.3.3.1. Have service delivery experience in the financial service industry

1.4.3.3.2. Excellent understanding of current technologies relating to both applications, infrastructure services and support logistics

1.4.3.3.3. Have an understanding of financial services Front-to-Back Processing

1.4.3.3.4. Good understanding in IT operations and logistics understanding how effective organisations and processes operate in a large international environment

1.4.3.3.5. Excellent project management skills and a proven track record in driving forward change programmes in distributed organisations.

1.4.4. Reporting

1.4.4.1. Understanding of metrics development and reporting

1.4.4.2. Ability to identify relevant risk sources

1.4.4.3. Capture and consolidate risk information and report to risk governance committees

1.4.5. Execution

1.4.5.1. (Program) Execution skills

1.4.6. Communication

1.4.6.1. Articulate an independent and balanced opinion in both written and oral form, identifying real issues and providing compelling solutions in a succinct manner

1.4.6.2. Have excellent report writing skills and an ability to communicate complex issues clearly and concisely to non-technical persons

1.4.6.3. Ability to develop and maintain an effective network of relationships, principally within the business globally and within other areas of the bank, where necessary

1.4.6.4. Take initiative and report issues to senior management at local, global functional level

1.4.6.5. Provide support to other team members in relation to particular areas of expertise

1.4.6.6. Have a good level of presentation skills.

1.4.6.7. Ability to present technical information to non-technical persons

1.4.7. Behavioural

1.4.7.1. Plan strategic work streams and ensure that these are delivered in a timely fashion

1.4.7.2. Be a team player, able to lead, direct, participate and support as required

1.4.7.3. Ability to co-ordinate and perform reviews on a global level managing both team requirements and client expectations

1.4.7.4. Have good time management skills completing assignments and producing reports on time and be able to prioritize work effectively

1.4.7.5. Take initiative and act independently with minimal direction

1.4.7.6. Is enthusiastic and self-motivated, is a team player who sets individual goals and objectives that are consistent with those of the group

1.4.7.7. Is dependable and meets deadlines

1.4.7.8. Take responsibility for own development

1.4.7.9. Is customer focused and acts with integrity and honesty.

1.4.7.10. Strong results orientation

1.4.7.11. Provide thought leadership

1.4.7.12. conceptualise technical risk and translate technical Lingo to non-IT/non-Technical staff

1.4.7.13. Excellent interpersonal skills and team player, sound judgement and business acumen

1.4.7.14. Excellent written, verbal and presentation skills

1.4.7.15. Well developed time management and project management skills

1.4.7.16. Ability to translate IT risk into business impacts

1.4.7.17. Managing conflicting priorities, including demonstrated capacity to consistently deliver to promise

1.4.8. Teams

1.4.8.1. Work in teams and enjoying collaboration with others

1.5. Personal Experience

1.5.1. IT Controls

1.5.1.1. Designing, testing and quality assuring IT controls

1.5.2. Tools and Processes

1.5.2.1. Implement and maintain

1.5.2.1.1. Assist in the setting up of an efficient set of risk management tools and processes.

1.5.2.1.2. Help to maintain risk management tools, processes and database.

1.5.2.1.3. Stay up-to-date with risk management best practice and propose new tools and processes if necessary.

1.5.3. Reporting

1.5.3.1. Regular, standard reporting

1.5.3.1.1. Produce and distribute periodic risk reports

1.5.3.1.2. "Porfolio" management

1.5.3.2. Ad hoc reporting

1.5.3.2.1. Perform ad hoc and other special studies and communicate results.

1.5.3.3. Monitoring

1.5.3.3.1. Monitor automatic warnings on specific risk exposures

1.5.3.4. Input and participation in meetings

1.5.3.4.1. Participate and assist in meetings with Portfolio Managers

1.5.4. Corporate

1.5.4.1. Experience as a senior subject matter expert or manager of

1.5.4.1.1. Roles and Functions

1.5.4.1.2. Financial industry control and governance disciplines

1.5.4.2. Seniority

1.5.4.2.1. Operating at a senior level of a large organisation

1.5.4.2.2. Management of program of work across across a region or of sufficient size and complexity

1.5.4.3. Complexity

1.5.4.3.1. Working remotely with international and delivering services for different countries

1.5.4.3.2. Working in large and complex technology or infrastructure programs

1.5.4.4. Project Management

1.5.4.4.1. Strong experience and knowledge of project management principles

1.5.4.4.2. Program of work

1.5.4.5. Teams

1.5.4.5.1. Establishing and coordinating multi-locational teams.

1.5.4.5.2. Management of program of work across across a region or of sufficient size and complexity

1.5.4.5.3. Working with cross-functional and cross-border teams

1.5.4.6. Input and participation in meetings

1.5.4.6.1. Participate and assist in meetings with Portfolio Managers

1.6. General Background & Requirements

1.6.1. General Time requirements

1.6.1.1. 5+ years work experience in technology field and financial services firm

1.6.1.2. 10+ years work experience in technology field and financial services firm

1.6.1.3. At least 5 years of experience as an analyst, architect or administrator in IT infrastructure, security

1.6.1.4. At least 8 years experience in the following topic: security assessments, penetration testing, security governance, security controls architecture and design, data privacy and content management

1.6.2. Industry

1.6.2.1. Financial

1.6.2.1.1. Business

1.6.2.1.2. Regulatory

1.6.3. Areas

1.6.3.1. Audit

1.6.3.1.1. IT Internal audit

1.6.3.1.2. IT External Audit

1.6.3.2. IT Risk

1.6.3.2.1. Working knowledge of industry standard risk analysis approaches: COBIT, COSO, ISO 17799.

1.6.3.2.2. Experience as a manager of an IT security, IT risk or IT audit departments in the financial services industry

1.6.3.2.3. Experience with development and administration of risk assessments and reviews

1.6.3.2.4. Experience with application assessments utilizing the Information Risk Analysis Methodologies (IRAM)

1.6.3.2.5. Substantial knowledge of risk assessment methodologies, IT policies and standards, awareness and training approaches

1.6.3.2.6. Third party reporting, eg SAS 70

1.6.3.3. IT Security

1.6.3.3.1. Working knowledge of industry standard risk analysis approaches: COBIT, COSO, ISO 17799.

1.6.3.3.2. Experience as a manager of an IT security, IT risk or IT audit departments in the financial services industry

1.6.3.3.3. Security strategy

1.6.3.3.4. Security architecture design and implementation

1.6.3.3.5. Security assessments, including penetration testing

1.6.3.3.6. Identity access management

1.6.3.3.7. Privacy

1.6.3.3.8. Third party reporting, eg SAS 70

1.6.3.4. BCP/DR

1.6.3.4.1. BCP/DR assessment, design, implementation and testing

1.6.3.5. IT

1.6.3.5.1. Knowledge of, and in depth experience with, more than one major IT discipline

1.6.3.5.2. At least 5 years of experience as an analyst, architect or administrator in IT infrastructure, security

1.6.3.5.3. Experience with audit processes and disciplines

1.6.3.5.4. Extensive knowledge of IT operations, information protection strategies, system evaluation, technical architectures, technical controls, and data centric security issues

1.6.3.6. Internal Controls

1.6.3.6.1. Responsibility for the group-wide Internal Control System including the following tasks:

1.6.3.6.2. Support of specialised units in the implementation of internal control systems

1.6.3.6.3. Continuous review and further development of internal control systems

1.6.3.7. Operational Risk

1.6.3.7.1. responsible for the design effectiveness of the firm’s Operational Risk Framework as applied to the Group IT organisation and the firm's Technology Risks.

1.6.3.8. Environment

1.6.3.8.1. experience gained whilst working in large scale environments

1.6.3.8.2. Managing and liaising with third-party suppliers

1.6.3.8.3. Vendor management experience in an outsourced infrastructure environment

1.6.3.8.4. Infrastructure Projects (including ITO, BPO, Infrastructure, Applications, Business Processes/ Transformation, Products (Cards, ATMs, Deposits, mortgage processing)

1.6.4. Consulting, Professional Services

1.6.4.1. expressed as

1.6.4.1.1. Proven track record

1.6.4.1.2. Demonstrated experience

1.6.4.2. Client focus

1.6.4.2.1. Strong client services orientation and accustomed to taking an active role in executing engagements

1.6.4.2.2. Track record with a blue chip consulting firm and/or a blue chip firm

1.6.4.2.3. Client relationships

1.6.4.2.4. Developed service orientation, diligence and reactivity regarding management and clients concerns or requests

1.6.4.3. Business development

1.6.4.3.1. Sales

1.6.4.3.2. Experience of managing, strengthening and broadening key client relationships.

1.6.4.4. Account management

1.7. Duties and Responsibilities

1.7.1. Teams

1.7.1.1. Work in close co-operation and collaboration with other risk teams for reporting, planning and assessment

1.7.1.1.1. both regionally and globally

1.7.1.1.2. other stakeholders

1.7.1.2. Participate or lead virtual memberships of teams

1.7.1.3. Work in partnership with the senior management teams (in the region)

1.7.2. Adoption and Improvement

1.7.2.1. Drive the awareness, development and implementation of initiatives globally

1.7.2.2. Provide visible leadership and commitment in supporting the rollout and development

1.7.2.3. Provide constructive input into IT RIsk methodologies and tools

1.7.2.4. Ensure efficient and effective IT Risk processes across IT

1.7.3. Operational

1.7.3.1. Understand and manage risk appetites and risk profiles

1.7.3.2. Risk assessments

1.7.3.2.1. Manage risks associated with major initiatives such as outsourcing of IT functions

1.7.3.2.2. Deliver risk assessments projects through the SDLC life cycle and relevant critical operational systems

1.7.3.2.3. Third party risk assessments for relevant new and existing vendors

1.7.3.2.4. General and ad hoc technical risk assessments

1.7.3.2.5. Conduct and/or coordinate risk assessments and risk opinions of critical environments & operation

1.7.3.2.6. Assist in developing and implementing appropriate corrective or mitigating actions.

1.7.3.2.7. This includes delivering IT risk and security assessments of applications and infrastructure, reviews of new and existing technologies, understanding and managing risk appetites and risk profiles, and managing the planning and assessment tools

1.7.3.3. Oversight of the local IT Risk accountables in those branches.

1.7.3.4. Support the management of global security incidents

1.7.3.5. Verifies important IT controls on a regular basis to obtain a view on operational effectiveness and identify risk

1.7.3.6. Manage the client's risk register, including reporting and follow-up.

1.7.3.7. responsible for the design effectiveness of the firm’s Operational Risk Framework as applied to the Group IT organisation and the firm's Technology Risks.

1.7.3.8. monitoring internal and external IT relevant events, assessing residual risk, monitoring remediation, thereby providing an independent and objective check on the firm’s IT risk taking activities.

1.7.4. Communication

1.7.4.1. Communication of local IT Risk that may apply globally

1.7.4.2. Assure that the client is being kept updated on any new IT risk management developments, such as new methodologies, policies, tools and/or services

1.7.5. Advisory, Relationship

1.7.5.1. Advisor tos stakeholders on information risk, controls, IT control policies and IT control regulatory requirements.

1.7.5.2. Advise on the prioritization and execution of risk remediation, mitigation, and acceptance measures

1.7.5.3. SPOC within IT Risk.

1.7.5.4. Provide risk management advice and guidance including the implementation of regional IT risk and security strategies and policies, and drive mitigation initiatives

1.7.5.5. Understand and manage risk appetites and risk profiles

1.7.5.6. Presentation of working results to the risk owner (heads of business units, executive management) and to the Board

1.7.6. Awareness

1.7.6.1. Communicate IT Risk requirements and best practices, to all staff, consultants and vendors within the region through presentations, training programs, memos, websites, and other relevant communication mechanisms.

1.7.6.2. Assure that the client is being kept updated on any new IT risk management developments, such as new methodologies, policies, tools and/or services

1.7.7. Monitoring and Reporting

1.7.7.1. Assemble, analyze, interpret, consolidate and report appropriate key risk and control indicators and statistics for management information and policy compliance reporting.

1.7.7.2. Understand and manage risk appetites and risk profiles

1.7.7.3. Capture and consolidate risk information and report to risk governance committees

1.7.7.4. Track risk mitigation activities for top risks in the region

1.7.7.5. Presentation of working results to the risk owner (heads of business units, executive management) and to the Board

1.7.8. Leadership

1.7.8.1. Chair/participate in regional industry committees/forums to maintain awareness of trends and best practices, share the leadership/direction of the firm, and monitor changes in applicable regulatory requirements to enhance internal plans in agreement with Regional CIO

1.7.8.2. Provide visible leadership and commitment in supporting the rollout and development of region wide initiatives.

1.7.9. Governance and Regulatory

1.7.9.1. Implement and maintain IT risk governance across regions and divisions as defined by policy

1.7.9.2. Capture and consolidate risk information and report to risk governance committees

1.7.9.3. Track risk mitigation activities for top risks

1.7.9.4. Verifies important IT controls on a regular basis to obtain a view on operational effectiveness and identify risk

1.7.9.5. Obtain a view of compliance to IT policy and standards and recognized industry best practice

1.7.9.6. Coordinate the oversight of IT's compliance with legal and regulatory requirements, ensuring that IT has consistent and effective interactions with regulators

1.7.9.7. Principle point of contact for business in addressing legal and regulatory compliance concerns affecting IT

1.7.9.7.1. need to know examples here

1.7.9.8. Coordinate the oversight of IT's compliance with Internal and External Audit obligations by providing consultative advice, monitoring and reporting to regional and global IT governance groups.

1.7.9.8.1. Audit

1.7.9.9. Act as first point of contact within IT for Internal and External Auditors

1.7.9.10. Responsibility for the group-wide Internal Control System including the following tasks: • Support of specialised units in the implementation of internal control systems • Continuous review and further development of internal control systems

1.7.9.11. responsible for the design effectiveness of the firm’s Operational Risk Framework as applied to the Group IT organisation and the firm's Technology Risks.

1.7.9.12. Providing an independent and objective check on the firm’s IT risk taking activities.

1.7.10. General role description

1.7.10.1. Work in close partnership with all parts of the firm, enables business solutions while protecting the bank through identification and mitigation of IT risks, creating a balanced control environment. The group provides a number of services for its clients including, Planning & Assessment, Response & Mitigation, Oversight

1.7.10.1.1. key word is partnership

1.7.10.2. Delivering IT risk and security assessments of applications and infrastructure, reviews of new and existing technologies, understanding and managing risk appetites and risk profiles, and managing the planning and assessment tools

1.7.10.3. As Head of IT 3rd party vendor risk framework, you will ensure the Bank can continue to manage its vendors within the group operational risk framework, and ensure vendor lifecycle controls are embedded within management processes. The Bank has a number of strategic objectives, and these will be achieved through the use of vendors and service providers. Your role, will be key to assisting the Bank achieve these objectives, through the correct selection of vendors through technical due diligence and through ensuring the ongoing management of the vendor is carried out within the risk framework.

1.7.11. Interaction

1.7.11.1. Deep technical knowledge to decipher technical risk

1.7.11.1.1. conceptualise technical risk and translate technical Lingo to non-IT/non-Technical staff

1.7.11.2. Provide thought leadership

1.7.11.3. Trusted Advisor

1.7.11.3.1. Be recognised as a trusted advisor to key customers and stakeholders across the Group, through provision

1.7.11.4. Develop and Maintain effective working relationships

1.7.11.4.1. e.g. Group Compliance, Group Audit)

1.7.11.5. Respect of technical people

1.7.11.5.1. Ability to perform Information Security risk assessments, working with appropriate subject matter expert teams to obtain the necessary information or systems access

1.7.11.5.2. understand their language

1.7.11.6. Ability to elicit requirements from key stakeholders, and effectively articulate them on paper

1.7.11.7. demonstrated domain pedigree

1.7.11.8. strong interpersonal skills to engage stakeholders

1.7.11.9. Managing conflicting priorities, including demonstrated capacity to consistently deliver to promise

1.7.11.10. Demonstrable experience and technical fluency with the various security architectures, systems and methods used to protect information assets

1.7.11.11. Translating customer information security needs into technical information system security requirements.

1.7.11.12. Provide expert advice to the Security Steering Committee who provide oversight and a governance function to the Real Insurance Information Security Management System (ISMS)

1.7.11.13. You will coach and support stakeholders to lead from the front with respect to IT risk management by providing pragmatic, outcome focused risk solutions and insights in order to drive decision making.

1.7.12. Risk

1.7.12.1. Able to develop Risk profiles

1.7.12.1.1. Facilitate the identification, analysis and profile of existing and emerging risks that impact the business

1.7.12.1.2. review of divisional risk profiles and development the WM risk profile

1.7.12.1.3. TRP

1.7.12.2. Three lines of assurance model

1.7.12.3. Risk Awareness

1.7.12.3.1. Embedding, developing and enhancing a risk aware culture through workshops, training activity and strong communication

1.7.12.4. Identifies security risks, threats and vulnerabilities of networks, systems, applications and new technology initiatives

1.7.12.4.1. many domains

1.7.12.5. Ability to translate IT risk into business impacts

1.7.12.6. talk about portfoio management

1.7.12.7. helping to determine acceptable levels of Security Risk for the organisation.

1.7.12.7.1. non-traditional security role

1.7.12.8. risk register database, including maintaining user permissions, company level data and liaising with vendor and IM&T on system availability

1.7.12.9. Facilitate the use of a consistent methodology and common language for risk and opportunity management

1.7.12.10. The delivery of risk advice on technology risk to assist managers in achieving their business objectives.

1.7.12.11. Manage the roadmap for security related change, define investment requirements and prioritise program of work

1.7.12.11.1. this is the point, risk based CBA