Job Description


  • Responsible for managing all Information Security activity related to audit reviews conducted by Internal Audit, External Auditors for Banking and Technology reviews
  • Works closely with business/technology units to review control effectiveness as part of Audit preparedness exercises
  • Ensures that all aspects of the local Information Security program are in a state of continual control preparedness Ensures compliance to security practices and standards reducing likelihood of audit, regulatory and legal liabilities
  • Works closely with Technology and Business teams to conduct regular assessments for the various business processes/units Ensures that risks are highlighted and risk treatment plans are defined. Collaborates with business units for risk treatment/remediation
  • Demonstrates an in-depth understanding of how Information Security integrates within the overall Technology and Business functions to achieve objectives; requires a good understanding of the industry
  • Supports stakeholders within Enterprise Infrastructure, which are primarily technology organizations supporting various business sectors
  • A strong understanding of how these organizations function and how they provide quality service to their clients is required
  • Additionally, knowledge of the architecture and infrastructure technologies used by the business to assess the IS risk exposure to the business is beneficial.
  • Ensures alignment of IS program with business strategy and acts as a strategic partner for Enterprise Infrastructure business units by promoting partnerships and supporting the implementation and maintenance of an Information Security control framework
  • Proactively manages IS risk and control through the identification, escalation, and solution development for compliance and audit issues including direct interaction and coordination with business units, control officers, and other stakeholders
  • Analyses complex Information Security Issues, controls and provides adequate IS Governance or oversight for the businesses/departments supported
  • Engages with key internal and external stakeholders to support Citi’s Intelligence Led Information Security strategy and is involved in external liaison activities with cyber threat industry associations, peer financial institutions, and information sharing communities
  • Provides a single point of contact on Information Security, and acts as consultant on Information Security topics, new projects, vendors, changes to processes, applications, infrastructure, IS risk assessments, management/oversight of IS governance, regional products and related activities for all business units across Enterprise Infrastructure business units in the region
  • Interface with Senior Management from across Enterprise Infrastructure to provide Risk Management and Information Security guidance in forums such as staff meetings, RCMC meetings and management offsite meetings
  • Supports the Business, ISOs and other Risk and Control stakeholders in the region on Information Security
  • Partners with BISOs, GISOs and Global IS Program Managers to improve processes and reduce risk for the organization Establishes working relationships with cross-sector ISOs with an aim of strengthening relationships to efficiently tackle security issues that span multiple businesses
  • Manages timeline and objectives of deliverables of all IS programs being driven across the franchise
  • Validates deliverables with other IS members to provide management oversight and objectively assess the progress for these programs
  • Participates in regional and corporate-level governance or program processes/committees to provide adequate representation for some aspect of program management e.g., ISRA Working Group, TPISA Working Group
  • Identifies potential requirements/enhancements to IS and IT standards, tools, and processes
  • Exercises control over policy formulation and planning



Skills / Knowledge / Experience:

  • 7+ years’ experience in IS and at least 3 IS programs including, but not limited to, Audit Reviews, IS Risk Assessment, Awareness and Training, Identity Access and Management, Data Protection, Incident Management, Vulnerability Assessment. Knowledge of key government regulations and local laws
  • Knowledge and understanding of emerging risk areas e.g. mobile remote access, wireless technologies, cloud computing, etc. Strong technical exposure in technologies, e.g. databases, cloud computing, operating systems, virtualization technologies, networks, voice, etc.
  • Knowledge of local and global regulations; Strong Risk Management experience; Working knowledge of ISO 27001, COBIT
Save Job