Technical Cyber Risk Management

Under the general supervision of an information security risk manager the Senior Information Risk Consultant (Cyber risk management) will provide expertise with security risk management and assessment of:
Azure cloud services (including but not limited to capabilities for IAM Network Security Policy Management Key Management etc.)
IT Products platforms and services (cloud and noncloud)
Solutions with complex hybrid architectures
Identity and Access Management Governance

The candidate will be required to work with project teams service providers and business units internal and external to the Funds IT function. The candidate is expected to bring pragmatic cloud security and risk management experience allowing for the Fund to meet its present and emergent business needs. The candidate is expected to advise and influence technology and business personnel regarding the value and methods of safeguarding information applications systems infrastructure and activities to help ensure that technologies function optimally; work practices are optimized so that the information risks are managed.

Specific responsibilities include:
1. Senior individual contributor for information security risk management projects. Sample projects/programs could include but are not limited to:
a) Control design and assessment for highdemand technical areas such as ERP IT Service Management Identity and Access Management IT Resiliency Cloud etc.
b) Compliance framework mapping and implementation
c) Risk remediation management
d) Information Security risk reporting and monitoring
e) Creation of roadmaps to mature or advance Information Security Strategies/Programs/Controls
f) Design and enablement of cyber controls functions and processes
g) Direct experience as a power user of Cybersecurity GRC/ solutions tools and technologies specifically ServiceNow and Archer
h) Projects or roles requiring coordination across lines of defense working with technical business compliance risk and audit teams to deliver solutions.

2. Delivery of information security risk assessments for largescale IT implementation projects including consulting with security architecture function for threat modeling appropriate tiering of N tier products/platforms design of infrastructure security controls to protect system components.

3. Practical use of risk management concepts and principles including assessment prioritization delivery of treatment plans tracking and reporting. Experience with NISTSP80030 ISO 27001/2 ISO 27005 COBIT.

4. Consult and review the implementation of authentication authorization (fine grained and coarse grained) and cryptography (PKI SSL Kerberos crypto algorithms) mechanisms within applications.

5. Consult with security assurance function on the delivery of technical security standards configuration baselines and related procedures for the hardening of both cloud and noncloud application and infrastructure components tools and techniques to ensure the security of application and infrastructure components such as LINUX/Windows servers Web servers (IIS Apache tomcat) app servers Databases (Oracle and MS SQL) endpoints (MAC Windows Apple IOS etc.) and Web Application Firewalls.

6. Collaborate with other security functions e g. security architecture security assurance offensive security team (red/purple team) application security penetration testing team to review and apply appropriate risk levels to the output of the assessments performed by the functions.

7. Maintain impartiality around IT systems to produce unbiased reports on information security risk.

8. Works closely with IT project teams to develop implementation plans for new securityrelated products and services.

9. Conducts quality assurance reviews of security requirements for the implementation of identified solutions.

10. Define/enhance process and procedures for using external security service providers including scoping management of services remediation tracking and exception management.

11. Effectively communicates requirements and trains staff and managers in IT divisions to identify and manage risks throughout the project lifecycle.

12. Where applicable manages the engagement process of external risk assessment providers and acts as a liaison with internal IT project teams and business units.

13. As an advocate of information security works closely and proactively with IT project team leaders service providers and business units to provide securityrelated technical solutions. Identifies opportunities to improve business practices or IT securityrelated processes.
14. Other ad hoc responsibilities may include:
a) Analyzes recommends and implements process improvements within the context of information security.
b) Support governance activities for Identity and Access Management where requested.

Experience must include:
1. Prior work in a technical cybersecurity risk management function at organizations with security related regulatory requirements.
2. Practical use of risk management concepts and principles including assessment prioritization delivery of treatment plans tracking and reporting and metrics (accreditation and certification). Experience with NISTSP80030 ISO 27001/2 ISO 27005 COBIT.
3. Embedding security into processes such as SDLC Project Lifecycle ITIL etc.
4. Demonstrated cybersecurity expertise with infrastructure applications and database system technologies.
5. Basic IT consultancy skills. Ability to consult and deliver on the security hardening of application and infrastructure components including tools and techniques to ensure the security of application database and infrastructure components.
6. Pragmatic security expert with an inherent ability to balance security demands with business reality. Ability to quickly grasp how new technologies work and how security controls should be applied to achieve business goals.
7. Knowledge of security solutions latest threats and countermeasures.