Head of Iinformation Security Risk Assurance (15248270/001) London, England
The job holder is accountable for leading and delivering efficient and effective Information Security Risk Assurance function to in order to identify any unindentify Information Security risks, so the information security risk manager can advice Global Business and Global Functions how to mitigate information risks in accordance with Group policies and operate within their risk appetite.
Key Accountabilities
• Oversee Assurance Reviews of Information Security Risk in Global Businesses and Functions
• Create annual review planning
• Create / enhance Assurance review processes and reporting to track ISR metrics by Business Line
• Liaising with interested parties including Audit, and other 2LoD functions external to ISR such as Operational Risk
• Holding meetings with relevant representatives from GB/GF ISR teams
• Ensure compliance monitoring and internal controls are in place within the ISR Service in accordance with regulatory standards.
• Ensure that Assurance Reviews cover all aspects of Information Security Risk
• To assist in the development, rollout and monitoring of a globally consistent, model that supports ISRs transformation to a global function including:
• Reducing duplication of effort
• Aligning to a single, global Assurance framework
• Supporting a standard, bank wide risk model
• Driving efficiency and practical improvements through the implementation of global process
• Standardising and Globalising where feasible and manageable without losing coverage for regional or local processes
• Establishing and maintaining effective communication with other ISR teams, 2LoD functions, Internal Audit, and GB/GF contacts.
• Provide specialist knowledge to advise Business Risk & Control Management of identified risks / suggested changes to risk management controls and processes allowing for greater flexibility to meet the changing risk landscape.
• Work closely with Business Risk & Control Management to provide relevant information for addressing information risk.
• Ensure line management and directs effectively carry out their control monitoring responsibilities through regular challenge, testing and validation.
• Retaining highly skilled information security resources in a competitive market
• Fast paced environment requiring execution of multiple simultaneous deliverables
• Matrix reporting structure with competing deliverables, priorities and timelines
• Ensuring compliance with policy and standards while managing deadlines
• Maintaining multiple region, business and function risks consistently and centrally
• Communicating technical subject matter effectively to non-technical stakeholders
• Resource is dispersed across (in multiple time zones), some part time, so remote collaboration, strong leadership and organization skills are required.
• In line with the overarching strategy, the implementation of new processes/policies must be globally consistent.
Qualifications
Knowledge & Experience / Qualifications
• Proven ability in leading a large global team and strong people management
• Solid background in developing and managing operational processes
• Minimum Bachelor Degree and/or related experience in the Financial Services industry or global corporate service provider
• The role requires a good knowledge of Information Security Risk policies, standards and controls.
• Possess good planning skills to allow effective planning of the work needed to undertake an assurance review, track progress against plan, and meet strict and challenging deadlines.
• Should possess good analytical skills to understand / undertake analysis and interpretation of information risk related data for the area under review and to analyse the responses and information supplied by the 1LoD Representative(s) during the review.
• Have the ability to assess the effective application of Information security Controls in GBs/GFs by the first line of defence.
• Have experience of dealing with senior management across Global Businesses and Functions.
• Understanding of risk management, electronic communication, information security risks and risk / control frameworks or those of other Financial Institutions
• Ability to communicate effectively with technical and non-technical internal stakeholders
• Ability to identify mitigating actions for risk treatment
• Ability to work in a diverse, global environment
• Excellent written and oral communication, research, analytical and process engineering skills
• Good negotiating skills
• Flexibility in working arrangements, as the role is likely to require irregular working hours
• Able to explain information security risks clearly and in non-technical language to the business and how these apply to them.
• Have knowledge of ISR’s role within the three lines of defence and the Operational Risk framework
• Able to assess the design effectiveness and operational effectiveness of information risk related controls in Risk & Control Assessments (RCAs) and Internal Control Monitoring Plans (ICMPs).
• When required, be able to provide advice to areas that have been reviewed on how to address any identified information security weaknesses.
• Have an understanding of the Operational Risk framework, in particular RCAs, ICMPs and issue and incident management.
• Able to work effectively with other areas outside of ISR such as Audit and other second line of defence areas, especially Operational Risk.
• Need to have strong interpersonal skills to build and maintain relationships with a wide range of people during the assurance review process, even when conveying difficult messages.
• A flexible and adaptable approach to change and will support others to respond in a similar way
• A flexible and adaptable management style with experience of developing yourself and others
Key Accountabilities
• Oversee Assurance Reviews of Information Security Risk in Global Businesses and Functions
• Create annual review planning
• Create / enhance Assurance review processes and reporting to track ISR metrics by Business Line
• Liaising with interested parties including Audit, and other 2LoD functions external to ISR such as Operational Risk
• Holding meetings with relevant representatives from GB/GF ISR teams
• Ensure compliance monitoring and internal controls are in place within the ISR Service in accordance with regulatory standards.
• Ensure that Assurance Reviews cover all aspects of Information Security Risk
• To assist in the development, rollout and monitoring of a globally consistent, model that supports ISRs transformation to a global function including:
• Reducing duplication of effort
• Aligning to a single, global Assurance framework
• Supporting a standard, bank wide risk model
• Driving efficiency and practical improvements through the implementation of global process
• Standardising and Globalising where feasible and manageable without losing coverage for regional or local processes
• Establishing and maintaining effective communication with other ISR teams, 2LoD functions, Internal Audit, and GB/GF contacts.
• Provide specialist knowledge to advise Business Risk & Control Management of identified risks / suggested changes to risk management controls and processes allowing for greater flexibility to meet the changing risk landscape.
• Work closely with Business Risk & Control Management to provide relevant information for addressing information risk.
• Ensure line management and directs effectively carry out their control monitoring responsibilities through regular challenge, testing and validation.
• Retaining highly skilled information security resources in a competitive market
• Fast paced environment requiring execution of multiple simultaneous deliverables
• Matrix reporting structure with competing deliverables, priorities and timelines
• Ensuring compliance with policy and standards while managing deadlines
• Maintaining multiple region, business and function risks consistently and centrally
• Communicating technical subject matter effectively to non-technical stakeholders
• Resource is dispersed across (in multiple time zones), some part time, so remote collaboration, strong leadership and organization skills are required.
• In line with the overarching strategy, the implementation of new processes/policies must be globally consistent.
Qualifications
Knowledge & Experience / Qualifications
• Proven ability in leading a large global team and strong people management
• Solid background in developing and managing operational processes
• Minimum Bachelor Degree and/or related experience in the Financial Services industry or global corporate service provider
• The role requires a good knowledge of Information Security Risk policies, standards and controls.
• Possess good planning skills to allow effective planning of the work needed to undertake an assurance review, track progress against plan, and meet strict and challenging deadlines.
• Should possess good analytical skills to understand / undertake analysis and interpretation of information risk related data for the area under review and to analyse the responses and information supplied by the 1LoD Representative(s) during the review.
• Have the ability to assess the effective application of Information security Controls in GBs/GFs by the first line of defence.
• Have experience of dealing with senior management across Global Businesses and Functions.
• Understanding of risk management, electronic communication, information security risks and risk / control frameworks or those of other Financial Institutions
• Ability to communicate effectively with technical and non-technical internal stakeholders
• Ability to identify mitigating actions for risk treatment
• Ability to work in a diverse, global environment
• Excellent written and oral communication, research, analytical and process engineering skills
• Good negotiating skills
• Flexibility in working arrangements, as the role is likely to require irregular working hours
• Able to explain information security risks clearly and in non-technical language to the business and how these apply to them.
• Have knowledge of ISR’s role within the three lines of defence and the Operational Risk framework
• Able to assess the design effectiveness and operational effectiveness of information risk related controls in Risk & Control Assessments (RCAs) and Internal Control Monitoring Plans (ICMPs).
• When required, be able to provide advice to areas that have been reviewed on how to address any identified information security weaknesses.
• Have an understanding of the Operational Risk framework, in particular RCAs, ICMPs and issue and incident management.
• Able to work effectively with other areas outside of ISR such as Audit and other second line of defence areas, especially Operational Risk.
• Need to have strong interpersonal skills to build and maintain relationships with a wide range of people during the assurance review process, even when conveying difficult messages.
• A flexible and adaptable approach to change and will support others to respond in a similar way
• A flexible and adaptable management style with experience of developing yourself and others