HSBC Group
Edinburgh, Midlothian, United Kingdom
15d ago


Role Title : ISR, Assurance Lead Reviewer

Business : Global Infrastructure

New or Existing Role? New

Role Purpose

  • The role of the ISR Assurance Reviewer is to assist the Assurance Leads with conducting ISR Assurance review activities as part of the Second Line of Defence.
  • This could include the execution of assurance reviews and / or involvement in pre-assurance review activities including data gathering and analysis and also the development of techniques to help automate these activities.

    Production and preparation of KRI data for the Assurance team is also required to provide governance over the ISR Assurance function.

  • The ISR Assurance Reviewer role is part of the global ISR Assurance Review team within Information Security Risk, which is accountable for providing assurance as to the effectiveness and maturity of the information security risk management framework throughout the Bank.
  • Impact on Business

  • Conducting Assurance Reviews of Information Security Risk in business areas and within Information Security Risk
  • Providing an assessment of information security control effectiveness and possible improvements
  • Tracking and assessing remediation of review findings
  • Undertaking pre-assurance data gathering activities
  • Developing techniques to improve the quality or ease of data gathering
  • Customers / Stakeholders

  • Liaising with interested parties including Audit, and other 2LoD functions external to ISR such as Operational Risk
  • Advising on and supporting GB / GF work to remediate findings and improve information security controls
  • Working with the relevant SMEs to ensure that Assurance Reviews cover all aspects of Information Security Risk
  • Work with Risk Analysis to understand how metrics can be improved and production regularized
  • Leadership & Teamwork

  • Collaborating effectively with SMEs from a number of different ISR teams to deliver an effective Assurance Review
  • Working as part of virtual Assurance Review teams as either a Lead Reviewer or Assurance Analyst as required
  • Supporting the global Assurance Review process through collaboration with colleagues around the world and sharing best practice
  • Making suggestions on improvements to assurance review processes
  • Operational Effectiveness & Control

  • To assist in the development, rollout and monitoring of a globally consistent Assurance Review model that supports ISRs transformation to a global function including :
  • Reducing duplication of effort
  • Aligning to a single, global Assurance framework
  • Supporting a standard, bank wide risk model
  • Driving efficiency and practical improvements through the implementation of global process
  • Standardising and Globalising where feasible and manageable without losing coverage for regional or local processes
  • Establishing and maintaining effective communication with other ISR teams, 2LoD functions, Internal Audit, and GB / GF contacts.
  • Establish processes to check compliance with all relevant country and regional regulations
  • Integrate with Risk governance structures to ensure that risk is reported through the correct channels
  • Complete other responsibilities, as assigned
  • Major Challenges

  • Build effective working relationships with the business areas being reviewed and establish the Assurance Review process as an effective tool for reducing Information Security risks
  • Establish ISR Assurance analysis as a useful resource for the new 2LoD ISR teams
  • Create effective relationships with ISR GB / GF Oversight and Regional representatives through the provision of regular and ad hoc reports
  • As required, contributing to the development and enhancement of assurance review processes
  • Role Context

  • The ISR function is transforming, and this role is being created, in response to four main drivers :
  • Bank’s realignment around Global Businesses and Global Functions
  • Deployment of the Lines of Defence Model
  • Need to become more efficient and standardized
  • Need to become intelligence led to effectively keep pace with ever increasing and sophisticated threats.
  • Role Dimensions

  • Regulatory punitive damages and censures possible in the event of Information Security weakness and / or failures Potential significant reputational damage and consequent share price impacts due to Information Security incidents
  • Management of Risk

  • The role is expected to adhere to all relevant FIM policies and operational risk guidelines
  • Remain current on, and understand, all changes to the ISR Risk and Control library in order to be able to :
  • oreview the GB / GFs implementation of the Controls and support remediation of any controls that are not effective

  • review ISR Assurance activities delivered through ISR teams for evaluating for complete and accurate processes
  • Observation of Internal Controls

  • Ensures adherence to the Information Security Risk policies (B.10.x) in the Global Risk FIM and measures the effectiveness of controls set up to implement these policies
  • Qualifications

    Knowledge & Experience / Qualifications

  • Minimum Bachelor Degree and / or related experience in the Financial Services industry or global corporate service provider
  • The role requires a good knowledge of Information Security Risk policies, standards and controls.
  • Should possess strong analytical skills to undertake analysis and interpretation of information risk related data for the area under review and to analyse the responses and information supplied by the 1LoD Representative(s) during the review.
  • Have the ability to assess the effective application of Information security Controls in GBs / GFs by the first line of defence.
  • Have experience of dealing with senior management across Global Businesses and Functions.
  • Experience working in relevant environment / s, i.e. Information Security, IT Operations, Software Delivery, IT Audit, or Risk.
  • Able to explain information security risks clearly and in non-technical language to the business and how these apply to them.
  • Have knowledge of ISR’s role within the three lines of defence and the Operational Risk framework
  • Able to assess the design effectiveness and operational effectiveness of information risk related controls in Risk & Control Assessments (RCAs) and Internal Control Monitoring Plans (ICMPs).
  • When required, be able to provide advice to areas that have been reviewed on how to address any identified information security weaknesses.
  • Have an understanding of the Operational Risk framework, in particular RCAs, ICMPs and issue and incident management.
  • Have a strong knowledge of the Business Information Risk Officer (BIRO) and Business Risk & Control Monitoring (BRCM) programmes and what the responsibilities of BIROs and BRCMs are in relation to Information risk.
  • Good technical writing skills to allow the results of assurance reviews to be presented clearly, concisely and consistently.
  • Able to build connections and work effectively with a virtual team of people across boundaries working on global assurance reviews
  • When required, able to escalate issues appropriately in order to ensure that remedial action is taken by areas that have been reviewed to address any weaknesses identified.
  • Able to work effectively with other areas outside of ISR such as Audit and other second line of defence areas, especially Operational Risk.
  • Need to have strong interpersonal skills to build and maintain relationships with a wide range of people during the assurance review process, even when conveying difficult messages.
  • A flexible and adaptable approach to change and will support others to respond in a similar way
  • A flexible and adaptable management style with experience of developing yourself and others
  • Professional Security Qualifications such as CISA, CISM, CRISC preferable
  • For more information about the relevant additional checks for this role please contact the hiring manager.

    We are an equal opportunity employer and are committed to creating a diverse environment.

    Add to favorites
    Remove from favorites
    My Email
    By clicking on "Continue", I give neuvoo consent to process my data and to send me email alerts, as detailed in neuvoo's Privacy Policy . I may withdraw my consent or unsubscribe at any time.
    Application form