Responsibilities:

Security Control Review:

• Define scope, roadmap, and testing plan to assess key cybersecurity controls on an ongoing basis
• Perform test of design and effectiveness on key cybersecurity controls
• Work to embed control testing within the organisation with a focus on automation and efficiencies
• Work with various teams to define follow-up actions to remediate control weaknesses identified
• Maintain, review and renew risk acceptances for control risks that cannot be fully mitigated

Project Security Assessments:

• Work with relevant teams to perform security assessments, reviewing high and low level architecture designs, and provide recommendations to mitigate identified risks on new projects being rolled-out
• Depending on the nature of the project, security assessments should cover application and data security requirements to ensure compliance with internal policies and framework
• Ensure compliance with cybersecurity related regulations that may be relevant to the project
• Perform follow-up on remediation actions that may result from the security assessment

Third Party Risk Assessments:

• Perform information security reviews on requests for outsourcing, including review of the vendor's security capability and risk of data leakage

Regulatory Reviews:

• Perform reviews to assess the company compliance against cyber regulatory topics across Asia
• Work with Compliance to identify new and arising regulatory requirements with impact to cybersecurity

Participation in committees:

• Participate in regional and global governance meetings and normative committees where required
• Provide updates within the team and liaise regularly with other teams in Asia, including application managers, technology, compliance, operational risk managers, risk management and third party management

Requirements

• Proficient in performing security architecture and security design reviews
• Knowledge of application, system and network auditing
• Strong understanding of IT infrastructure and IT applicative framework architectures
• Familiarity with cloud computing and container technologies (docker and kubernetes)
• Good understanding of application vulnerabilities and common exploits (e.g. OWASP Top 10)
• Knowledge of security hardening standard (e.g. Centre for Internet Security benchmarks, NIST)
• Experience with security control reviews and audits
• Experience in performing third party reviews / assessments
• Familiar with cybersecurity regulatory topics in Asia (e.g. HKMA C-RAF, MAS TRM, etc)
• Computer programming experience desirable
• Excellent English verbal and written communication skills, experience in communicating complex technical topics at senior organizational levels,up to and including MD level
• Client oriented mindset, results driven, proactive and quick to react to requests
• Innovative and bringing new ideas to improve processes
• Bachelor degree in Information Technology or equivalent
• Professional qualification such as CISSP, CISM, ITIL
• Experienced security professional with 8+ years of relevant experience
• HKMA Enhanced Competency Framework (ECF) certification is preferred