IT Risk Assessment Specialist
New York, NY

Job Description

A career at New York Life offers many opportunities. To be part of a growing and successful business. To reach your full potential, whatever your specialty. Above all, to make a difference in the world by helping people achieve financial security. It's a career journey you can be proud of, and you'll find plenty of support along the way. Our development programs range from skill-building to management training, and we value our diverse and inclusive workplace where all voices can be heard. Recognized as one of Fortune's World's Most Admired Companies, New York Life is committed to improving local communities through a culture of employee giving and service, supported by our Foundation. It all adds up to a rewarding career at a company where doing right by our customers is part of who we are, as a mutual company without outside shareholders. We invite you to bring your talents to New York Life, so we can continue to help families and businesses "Be Good At Life." To learn more, please visit LinkedIn, our Newsroom and the Careers page of www.NewYorkLife.com.

Risk Assessment Specialist

The IT Risk Specialist is a member of the Risk Assessments team. The team is responsible for providing governance and oversight of the assessments performed by the first line of defense teams to ensure controls are in alignment with New York Life policies, standards and control requirements. This individual will also be responsible for conducting independent risk and control assessments across all technology layers and validating whether action plans being implemented by the first line of defense teams adequately address cybersecurity risks. The IT Risk Specialist will primarily support the existing IAM oversight program which includes assessing controls and reporting progress of the control evaluation to senior management.

Main responsibilities include:

* Act as the primary liaison to work with NYL Technology and Subsidiaries on the IAM program
* Perform evidence-based assessments of applications, infrastructure and processes
* Provide advice and recommendations to business leaders for decisions regarding Criticality, Inherent, and Residual Risk scoring
* Monitor the implementation of controls for technology and business project plans
* Continuously identify, assess, measure and monitor information technology risk by performing independent hands-on risk assessments
* Validate asset and control risk remediation actions for completeness and sustainability
* Conduct analysis of assessment results to identify recurring risk themes
* Improve and develop reporting of risk and control metrics
* Act as the first escalation point for risks and issues interacting with the business
* Escalate issues to senior management and the Risk Assessments Lead as appropriate
* Make moderate IT risk and business decisions, working with other IT groups to ensure solid cross-functional decisions are made as a team
* Work as a member of the team, performing functions such as point of contact for questions on risk assessments, control deficiencies, policies, etc., and providing other necessary activities to ensure the success of the Risk Assessments program

Qualifications:

* Minimum 5-9 years' experience
* BA/BS required in Computer Information Systems, Business, Finance, or related field
* Prior identity and access management, risk management, audit and/or consulting experience
* Moderate understanding of key industry control frameworks (NIST Cyber Security Framework, COSO, COBIT, ISO 27000, etc.)
* Moderate level knowledge and understanding of identity and access management, systems architecture, infrastructure, security and applications
* Prior participation in planning, organizing, and conducting detailed IT Risk and Control Reviews, with a focus on Identity and Access Management
* Prior participation in performing and documenting business process and technology process walkthroughs
* Prior participation in creating control evaluation procedures and documenting substantive testing performed
* Prior participation in performing application and infrastructure layer control assessments
* This individual requires strong personal, communication, writing and organizational skills as they will be working closely with technology stakeholders across the organization
* Ability to communicate IT Risk assessment information (with a focus on Identity and Access Management) to non-technical business leaders to ensure they comprehend the risk being assigned to them
* Able to effectively communicate evaluation of risk remediation plans to action plan owners to ensure that mitigation activities are appropriately addressed

SF: LI-CC1

EOE M/F/D/V

If you have difficulty using or interacting with any portions of this Web site due to incompatibility with an Assistive Technology, if you need the information in an alternative format, or if you have suggestions on how we can make this site more accessible, please contact us at: (212) 576-5811.