Associate, Cyber Risk-1903191
Information Risk Management is a 2nd Line oversight function. At Santander, the Information Risk Management (IRM) team engages in key projects and business/technology initiatives, works with the 1st and 3rd Lines to drive a business aligned, risk-based, cost-effective program designed for the confidentiality, integrity and availability of information, information systems (technology infrastructure, application systems and end-user technology) and information resources in support of business products and processes.
Mutual commitment and shared interests are critical to our success. We value motivated self-starters, diverse perspectives, integrity, adaptability and excellence. We seek capable, experienced, qualified and motivated individuals who seek to advance their own professional goals, by working with us to serve the best interests of our team, the firm and, our customers.
Santander is looking to hire an Associate, Information Risk Management to join our Information Risk Management team. We are looking for an experienced candidate with an Information Technology risk or audit background and experience in developing and managing information technology, information security or similarly complex programs in the Financial Services industry.
The Associate, Information Risk Management is a member of the IRM team and accountable for advancing and delivering the governance, risk, compliance and oversight program. A key contributor to the design, implementation and delivery of the IRM Program, the Associate, Information Risk Management will drive key initiatives, execute risk-based practices and deliver commercially relevant outcomes necessary to foster our shared success.
The candidate will be part of the 2nd line of defense Information Risk Management team responsible for defining risk frameworks and policy, and providing oversight, review and credible challenge of risk management activities owned and managed by the 1st line of defense. This role will report to [Director / Senior Manager] of Information Risk Management.
The individual will partner with stakeholders across all lines of defense, all business lines and support functions, including IT, IS, Risk, Compliance, Legal, Audit, Human Resources and Finance, to support the identification, assessment, management and reporting of information risks. The individual will work in concert with the operational risk management team, including the vendor risk management and business continuity management teams, to ensure close coordination, integration, transparency and awareness of information risks across all risk management programs.
* Provides 2nd Line risk oversight of the Information Risk Management Program; additionally provides 2nd Line support for the Information Technology, Information Security, Business Continuity Management and Records Management Programs, including policies/standards/procedures, strategies, material risks, risk reporting routines and metrics.
* Credible review and challenge of 1st Line Risk and Control Self-Assessments, including process mapping, identification and assessment of risk, identification of controls, and assessments of control design and effectiveness.
* Active participation in high-profile information risk management initiatives
* Supports regulatory exams, including assessing risk remediation/mitigation activities.
* Supports teams independent risk assessments of information risk management related disciplines.
EXPERIENCE and QUALIFICATIONS
* 3-5+ years of related experience; ideally a combination of Technology Risk (1st or 2nd line), IT Audit (3rd line) and/or 1st line Information Technology or Information Security experience.
* Experience in Banking / Financial Services.
* Bachelor's degree in the field of IT, Information Security or related field.
* Motivated self-starter with positive energy, integrity and high professional standards.
* Detail oriented with the ability to understand high-level strategy.
* Ability to work well both independently and collaboratively as a member of the team.
* Ability to multi-task, work in a fast-paced environment and adapt to change.
* Risk Management Knowledge: Risk Identification, Risk Assessment, Risk Treatment Measures including Risk Acceptance, Governance including Measuring/Monitoring/Reporting, Risk Aggregation, Control Assessments & Controls Testing, etc.
* Information Technology Related Knowledge: Asset management, change management, incident/problem management, patch management, Software Development Life-Cycle (SDLC), release management, capacity/performance management, data/records management and destruction, backup and recovery, etc.
* Information Security Related Knowledge: Identity and access management, privileged access management, generic ID management, threat intelligence, vulnerability management, secure coding practices, FFIEC Cyber Assessment Tool (CAT), data security and encryption, phishing, forensics, mobile security, third-party vendors, etc.
* Business Continuity Management including Business Impact Analysis and Disaster Recovery Planning.
* Technical skills and capabilities with minimal requirement of general understanding: Microsoft Windows, Red Hat Linux, IBM AIX, IBM Mainframe/Midrange, VMWare ESXi, LAN/WAN/MAN Networking, Firewall Technologies, Intrusion Detection/Prevention Systems (IDP/IPS), Security Information and Event Management (SIEM), Cloud Computing, Governance Risk and Compliance (GRC) Tools, Web Proxies, SQL/Oracle/DB2 Database Technologies, Data Leakage Protection (DLP), Storage Area Networks (SAN) and Network Attached Storage (NAS), Email Systems, End-User Computing, Web Servers, Middleware Technologies, Microsoft SharePoint.
* Regulatory Knowledge: Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley (SOX), OCC Heightened Standards, FFIEC Guidelines, HIPAA, NYDFS, GDPR.
* Knowledge of Industry-Standard Frameworks: NIST Cybersecurity Framework, SAN/CIS Critical Security Controls, ISO 9001/20000/22301/27001/31000, ISACA COBIT, COSO 2013.
LOCATION / REPORTING
* Boston, MA, East Providence, RI or Holmdel, NJ (travel between offices will be required).
* Reports to [Director / Senior Manager] of Information Risk Management.
* Extended hours may be required as dictated by management and business needs.
* Travel to multiple facilities may be required (total travel <20%).
* May be required to lift, push, or pull materials weighing up to twenty (20) pounds.
* May be required to sit and review information on a computer screen for extended periods of time.
* May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.
* Corporate / satellite office role.
Primary Location:Massachusetts-Boston-75 State Street - 06366 - State Street-Corp
Job Posting:May 31, 2019, 5:19:46 PM
AN EQUAL OPPORTUNITY EMPLOYER M/F/Vet/Disabled/SO