Responsibilities:

• Provide IT Risk & Security consultancy to the IT Division on technology risk management framework, IT policy and procedure, regulatory requirements and industry best practice around IT risk, IT security and regulatory compliance;
• Develop and maintain a fit and proper technology risk management and IT security framework for the company;
• Perform risk & control assessments on IT processes to articulate and explain the risk to management as well as propose mitigating controls to reduce the risk;
• Define IT security control requirements & policy;
• Oversight of threat & vulnerability management to ensure that high risk threat & vulnerability are properly addressed by relevant parties;
• Promote IT security awareness across the company;
• Assist on the investigation of IT security incident;
• Formulate IT risk and security requirements for 3rd party service providers and overseas offices from a governance perspective to assure that IT risk and security requirements are being managed;
• Perform and manage the Operational Risk Event Reporting according to the requirements from Operational Risk Management;
• Maintain IT risk register to record all the potential IT risk being identified and manage all identified risk according to the technology risk management framework;
• Develop and maintain Key Risk Indicators and security metrics for continuous monitoring of the company’s IT risk and security posture;
• Perform IT regulatory compliance assessment & reporting, work closely with Legal & Compliance Division on responding to circulars & notices that affect the IT Division;
• Coordinate all internal/external IT audit & regulatory inspection
• Assist the team head and provide support on other service areas across the function covering Technology Risk Management and Business Continuity Management.

Requirements:

• Extensive knowledge of IT risk and security principles and best practices, practical experience in IT security and to conduct IT security risk assessment
• Sound knowledge across different domains including information security, cyber security, risk & control, operational risk management
• Experience in performing IT regulatory compliance assessment & reporting
• Familiar with the regulatory environment of the banking and finance industry including the requirements from HKMA and SFC
• Strong communication and interpersonal skill and be able to work with stakeholders at all levels
• Strong business knowledge on investment banking, securities brokerage and private banking business
• Degree holder major in Computer Science or related field
• At least 8 years of experience in multiple areas including technology risk, information security, cyber security, regulatory compliance, risk & control and/or operational risk management from the banking and finance industry
• Certification in information security, IT audit, and/or business continuity (e.g. CISA, CISM, CISSP or DRII/BCI)
• Prior experience gained as an auditor is desirable

As a leading investment bank in China and Hong Kong region, the investment banking arm of Bank of China, BOC International Holdings Limited (“BOCI”), is now seeking highly motivated, creative and success-oriented professional who would like to pursue the career in our group.