Title: IS COB & Ctrls Tech Specialist
The ICG Technology Risk & Controls Team is responsible for managing risk and providing controls and compliance guidance and support to Technology Development Units by ensuring compliance with Citi standards, policies, and procedures. The team needs to expand its capability in line with corporate S-SDLC program to perform security assessments of applications during the development phases and identify vulnerabilities and security issues early in the lifecycle. The S-SDLC Security Analyst will have strong technical acumen and should establish relationships with Information Security officers, domain architects, project managers and other disciplines within the Application Technology units. This role will be a focal point for ensuring that there is a strong Information Security environment as well as ensuring applications, or systems, deployed in support of a business provide a level of protection appropriate to the class of information managed in those systems.
Risk Management Responsibilities:
. Facilitate departmental compliance with all Information Security policies, standards and security testing requirements.
. Conduct/facilitate Application Security Assessments (Architecture Risk Analysis, IS Reviews, VA on new, existing and vendor and in-house applications, etc.)
. Review and approve results from the security testing.
. Partner with ICG Technology Architects and provide security subject matter expertise in reviewing the architecture of the key ICG programs during their inception phase
. Liaise with Business Information Security Officers and application development community to assist in identifying and reducing IS risk within applications to acceptable levels
. Monitor risk mitigation process and risk oversight
. Engender a culture of secure coding practices as part of SDLC process
. Act as a subject matter expert on all aspects of Application Information Security
. Drive execution of directives as mandated by Global IS Organization
Reporting and Governance Responsibilities:
. Compile data and prepare application IS risks reports for management
. Analysis and identification of potential non-compliance issues
. Monitor progress of corrective action plans and risk exceptions
. Lead and /or contribute to ad-hoc requests and projects as required
. Act as subject matter expert on Application Information Security topics during Audit meetings
. Identify opportunities for process improvement
. Facilitate compliance to defined standards and develop tools to assist compliance
. Alignment of processes across regions and globally, where possible
. Participation in Corporate and ICG-level working groups
. 7 years of Information Technology experience
. 3-5 years experience of Project Management and / or Web Development / Application Development / Architecture, with 1 year of Secure SDLC program design, development or implementation experience.
. Experience with Software Development Life Cycle; Citi SDLC a plus.
. Understanding of Operating Systems (e.g., UNIX, Linux, WINTEL), Databases (e.g., Oracle, SYBASE, MS-SQL), and Programming Languages (e.g., JAVA, .Net, C/C ).
. Working knowledge of application security, secure coding, and development tools and practices with expertise in any one or more of the following area: authentication and encryption solutions, web application security, mobile technologies, application architecture reviews.
. Knowledge of Information Security, IT Risk and Controls
. Knowledge of Citi Information Technology Management Standards, Policies and Practices
. Proficient in MS Office products, particularly PowerPoint & Excel.
. University degree, or higher, in a technical discipline
. Professional certification, such as CSSLP and CISSP, or willingness to obtain certification within 12-18 months of start date
. Exhibit strong influencing / negotiation skills as well as written/verbal communication skills.