The Private Wealth Management (PWM) business provides end to end Investment Management services and advice across a large range of asset classes for high net worth individuals. PWM leverages a global technology platform offering, an integrated suite of tools, and applications to onboard clients. Our software helps realize a client's goals and objectives, develops and implements an integrated wealth management plan and delivers first-class client service.Cyber and Information Security Risk Officer in the Investment Management Division (IMD) Technology Risk Team, primarily focused on security controls in business applications/processes that support the Goldman Sachs Asset Management (GSAM) and Private Wealth Management (PWM) business lines. The successful candidate will be a trusted risk adviser to high performance application and platform teams across IMD Engineering.
RESPONSIBILITIES AND QUALIFICATIONS
HOW YOU WILL FULFILL YOUR POTENTIAL• Interact with IMD engineering stakeholders to understand and communicate risks to critical infrastructure and systems, defining potential business impact, and tracking commitments to apply effective mitigating controls.• Drive adoption of application security, technology privacy, privilege management and vulnerability management controls as part of the Software Development Life Cycle (SDLC) and production management (DevOps) processes.• Track the progress of remediation of control gaps identified by firmwide control programs, application security and vulnerability testing, Internal Audit, self-testing, or controls self-assessment.• Assist in the execution of the access and entitlements recertification, and the SOX404 and operational risk control self assessments by evaluating the key risks and assessing mitigating controls and evidence to determine the risk profile for the organization.• Assist in the development and monitoring of key risk indicators (KRIs) that are mapped to various risks and controls to determine control gaps, and advise application development teams on implementing risk mitigation measures.• Communicate the impact of technology risks and the approach to mitigation/acceptance, and provide risk assessment and advisory services to technology engineers, and technology and business management.• Work with internal application development teams that are developing the next generation of critical business applications, help them understand Information Security, Cyber Security and Business Resiliency control requirements, and advise on the integration of these controls into their applications.• Collaborate with the global Technology Risk Governance, Application Risk, Vulnerability Management, Privilege Management, Risk Measurement, and other global Technology Risk teams to develop and integrate best-in-class security and resiliency controls and practices.• Contribute to the technical understanding, adoption and convergence of information security standards, solutions and tools.SKILLS AND EXPERIENCE WE ARE LOOKING FOR• Bachelor's degree in Computer Science, Computer Engineering, or a related field.• 4 years experience driving controls adoption based on information security policies, procedures or standards.• 3 years experience performing technology risk or vulnerability assessments aimed at independently assessing security weaknesses and gaps.• 3 years cyber security risk advisory and risk management experience, including risk mitigation and risk acceptance tracking and reporting.Preferred Qualifications• Experience interfacing with and communicating complex technical security concepts to non-technical audiences.• Information security policy, standards, guidelines or procedures development and implementation.• Infrastructure, database and/or application security experience.• Privilege management (i.e. access and identity management, access re-certification) experience.• Control self-assessment, SOX404 technical control assessment, SOC 1/SOC 2 control assessment experience.• Strong knowledge of control frameworks and the ability to design and evaluate effectiveness of controls embedded within business processes.• Ability to work with large data sets, reporting dashboards and excel worksheets.• Industry accepted security certifications including CISSP or CISM or CRISC or equivalent SANS certification.