Title: Senior Manager, Information Security
Reference No: 2023/10
Location: City of London
Reports to: Head of Technology Risk & Information Security
Direct reports: 2
No. Required: 1
Start Date: ASAP
This role is part of an integrated global team dedicated to mitigating risks through the efficient and effective application of information security expertise.
This role is to provide Technology Risk coverage in the International region, with a specific focus on London.
This role performs the following activities in order to prevent significant reputational, financial or other loss to the Bank and its clients:
• Participation in the development, provisioning and successful execution of an Information Security programme.
• Serve as a facilitator and liaison between the business lines, Technology Risk, Operational Risk and the Group Technology Risk community for the successful mitigation of risks through both Run the Bank & Change the Bank activities.
• Delivery of a robust and fit for purpose approach to adopting information security best practices across business and IT functions.
• Providing independent review of specific Technology activities across London.
Key Responsibilities / Accountabilities
• Participation in the development, provisioning and successful execution of an information security programme.
• Ensure effective communication to all key stakeholders in order to sustain relationships between business and IS
• Interact with compliance, operational risk, audit and legal counsel to understand corporate requirements related to security and regulatory compliance and map those requirements to current security capabilities.
• Deploy measures, systems and processes to prevent the loss or theft of the Bank’s intellectual property.
• Maintain relevant metrics to facilitate reporting and decision making.
• Ensure compliance with existing laws and regulations and ensure a secure IT Environment.
• Facilitate and promote activities to create information security awareness within the organization, including awareness of information security technologies and related regulatory issues that have a potential impact to the environment.
• Assess and detect vulnerabilities and ensure security is designed into the IT Infrastructure, applications and products.
• Analyse and categorize IT and security risks identified across all sources / processes including but not limited to system breaches and unauthorized access;
• Assist in the implementation of an IT risk, Security and Operational Risk management framework including but not limited to reviewing and managing risk assessments, risk appetite statements and risk registers;
• Project consultancy for new, changed and existing systems in accordance with the Information Security Policies, Standards and Procedures;
• Effectively communicate with Management to ensure support and commitment for the various IT Risk and Security programmes and to prioritize initiatives based on appropriate risk management;
• Responsible for tracking and managing remediation efforts of identified risks and vulnerabilities;
• Identify metrics and produce risk reports for stakeholders notifying them on key risks, incidents progress and status;
• Sets expectations and verifies delivery for security operations, including management of monitoring, IT security incident handling, and other routine security activities;
• Coordinate security controls design, testing, implementation support and compliance monitoring;
• Plan and conduct reviews of computer systems and related processes to ensure that IT operations and technology activities are adequately controlled and performed in accordance with policies and objectives and necessary IT DR plans are documented. This function includes design reviews for new applications and integration;
• Responsible for coordinating internal and external periodic or annual audits of any IT functions and systems, and work with other managers to ensure findings are acted upon;
• Actively manage local responses to security incidents and the investigation of security breaches in line with company policy and group teams.
• Initiate, facilitate, and promote activities to create IT risk and security awareness, including awareness of information security technologies and related regulatory issues that have a potential impact to the environment;
• Recommend process improvements and ensure compliance and adherence to the security policies;
• Ensures that all elements (RCSAs, Indicators, Scenarios, Incident Management) of the operational risk framework are applied effectively
• Serve as a facilitator and liaison between the business lines, IT and Technology Risk community for the successful mitigation of risks through both Run the Bank & Change the Bank activities
• Support cooperative dialogue between business and Information Security that is supported by visible and consistent action
• Contribute to and ensure implementation of the Information Security Strategy is in alignment with the vision of the business.
• Promotes information security by developing and maintaining key relationships in relevant global and regional organisations
• Contributes to the wider management team and attends appropriate meetings/ events/ governance forums.
• Delivery of a robust and fit for purpose approach to adopting information security best practices.
• Acts as liaison between Information Security and various Governance, Control & Risk offices within the bank to create and maintain reporting, problem resolution, and other tasks necessary to continuous improvement and evolution of services
• Promotes a continuous awareness of information security value to ensure timely engagement by senior technical and business managers
• Participates in industry education and networking events, maintains relationships with external technology risk community and encourages continuous benchmarking of the Banks information security against leading technologies and practices.
• Delivery of a operational controls to provide a level of independent assurance to local management
• Establish and maintain a series of operational controls to ensure the correct level of independent oversight covering:
• disaster recovery testing
• use of privileged accounts
• end user computing
• Maintain the required level of risk assessments for the Technology estate across Asia, utilizing shared services from GIS and ensuring the engagement of local business management.
• The role is line of business focused and works directly for the Head of International Technology Risk.
• Requires sound relationships with “control & governance” functions, including legal, audit & compliance, human resources and heads of functional business units to define responsibilities as they pertain to information security.
Preferred Qualifications and Experience
• Prior industry experience within the banking and /or financial services sector in an IT Risk Management or security role – 5 years
• Experience in the identification, evaluation and documentation of policies, process and controls
• Experience working with international cross-functional teams fostering collaboration and team work.
• Prior experience with the management of key incidents/errors and the ability to synthesize data, conceptualize and get to the root cause of processes that created the risk.
• Experience working in a multi-vendor and outsourced IT environment.
• Experience in developing IS strategy and frameworks in a financial institution.
• Experience in Business Analysis and Business Case Management.
• Experience directly assessing and communicating risk exposures and developing risk mitigation plans.
• Strong understanding of technology and life cycle development processes (SDLC, technology operations, business continuity, etc).
• Preferred University graduation with a degree in Business, IT or a related subject
• Information Security and/or Information Technology industry certification (CISSP, CISM, CISSP-ISSMP, CRISC or GIAC equivalent) strongly preferred.
• Process management:
• Including knowledge of COBIT and ITIL processes including change, incident and problem management.
• Including knowledge of standard business processes including work prioritization and best practices.
• Good understanding of domestic and international banking industry
• Including knowledge of regulatory requirements of home markets e.g. Data Protection