Role Title : ISR, Assurance Lead Reviewer
Business : Global Infrastructure
New or Existing Role? New
The role of the ISR Assurance Reviewer is to assist the Assurance Leads with conducting ISR Assurance review activities as part of the Second Line of Defence.
This could include the execution of assurance reviews and / or involvement in pre-assurance review activities including data gathering and analysis and also the development of techniques to help automate these activities.
Production and preparation of KRI data for the Assurance team is also required to provide governance over the ISR Assurance function.
The ISR Assurance Reviewer role is part of the global ISR Assurance Review team within Information Security Risk, which is accountable for providing assurance as to the effectiveness and maturity of the information security risk management framework throughout the Bank.
Impact on Business
Conducting Assurance Reviews of Information Security Risk in business areas and within Information Security Risk
Providing an assessment of information security control effectiveness and possible improvements
Tracking and assessing remediation of review findings
Undertaking pre-assurance data gathering activities
Developing techniques to improve the quality or ease of data gathering
Customers / Stakeholders
Liaising with interested parties including Audit, and other 2LoD functions external to ISR such as Operational Risk
Advising on and supporting GB / GF work to remediate findings and improve information security controls
Working with the relevant SMEs to ensure that Assurance Reviews cover all aspects of Information Security Risk
Work with Risk Analysis to understand how metrics can be improved and production regularized
Leadership & Teamwork
Collaborating effectively with SMEs from a number of different ISR teams to deliver an effective Assurance Review
Working as part of virtual Assurance Review teams as either a Lead Reviewer or Assurance Analyst as required
Supporting the global Assurance Review process through collaboration with colleagues around the world and sharing best practice
Making suggestions on improvements to assurance review processes
Operational Effectiveness & Control
To assist in the development, rollout and monitoring of a globally consistent Assurance Review model that supports ISRs transformation to a global function including :
Reducing duplication of effort
Aligning to a single, global Assurance framework
Supporting a standard, bank wide risk model
Driving efficiency and practical improvements through the implementation of global process
Standardising and Globalising where feasible and manageable without losing coverage for regional or local processes
Establishing and maintaining effective communication with other ISR teams, 2LoD functions, Internal Audit, and GB / GF contacts.
Establish processes to check compliance with all relevant country and regional regulations
Integrate with Risk governance structures to ensure that risk is reported through the correct channels
Complete other responsibilities, as assigned
Build effective working relationships with the business areas being reviewed and establish the Assurance Review process as an effective tool for reducing Information Security risks
Establish ISR Assurance analysis as a useful resource for the new 2LoD ISR teams
Create effective relationships with ISR GB / GF Oversight and Regional representatives through the provision of regular and ad hoc reports
As required, contributing to the development and enhancement of assurance review processes
The ISR function is transforming, and this role is being created, in response to four main drivers :
Bank’s realignment around Global Businesses and Global Functions
Deployment of the Lines of Defence Model
Need to become more efficient and standardized
Need to become intelligence led to effectively keep pace with ever increasing and sophisticated threats.
Regulatory punitive damages and censures possible in the event of Information Security weakness and / or failures Potential significant reputational damage and consequent share price impacts due to Information Security incidents
Management of Risk
The role is expected to adhere to all relevant FIM policies and operational risk guidelines
Remain current on, and understand, all changes to the ISR Risk and Control library in order to be able to :
oreview the GB / GFs implementation of the Controls and support remediation of any controls that are not effective
review ISR Assurance activities delivered through ISR teams for evaluating for complete and accurate processes
Observation of Internal Controls
Ensures adherence to the Information Security Risk policies (B.10.x) in the Global Risk FIM and measures the effectiveness of controls set up to implement these policies
Knowledge & Experience / Qualifications
Minimum Bachelor Degree and / or related experience in the Financial Services industry or global corporate service provider
The role requires a good knowledge of Information Security Risk policies, standards and controls.
Should possess strong analytical skills to undertake analysis and interpretation of information risk related data for the area under review and to analyse the responses and information supplied by the 1LoD Representative(s) during the review.
Have the ability to assess the effective application of Information security Controls in GBs / GFs by the first line of defence.
Have experience of dealing with senior management across Global Businesses and Functions.
Experience working in relevant environment / s, i.e. Information Security, IT Operations, Software Delivery, IT Audit, or Risk.
Able to explain information security risks clearly and in non-technical language to the business and how these apply to them.
Have knowledge of ISR’s role within the three lines of defence and the Operational Risk framework
Able to assess the design effectiveness and operational effectiveness of information risk related controls in Risk & Control Assessments (RCAs) and Internal Control Monitoring Plans (ICMPs).
When required, be able to provide advice to areas that have been reviewed on how to address any identified information security weaknesses.
Have an understanding of the Operational Risk framework, in particular RCAs, ICMPs and issue and incident management.
Have a strong knowledge of the Business Information Risk Officer (BIRO) and Business Risk & Control Monitoring (BRCM) programmes and what the responsibilities of BIROs and BRCMs are in relation to Information risk.
Good technical writing skills to allow the results of assurance reviews to be presented clearly, concisely and consistently.
Able to build connections and work effectively with a virtual team of people across boundaries working on global assurance reviews
When required, able to escalate issues appropriately in order to ensure that remedial action is taken by areas that have been reviewed to address any weaknesses identified.
Able to work effectively with other areas outside of ISR such as Audit and other second line of defence areas, especially Operational Risk.
Need to have strong interpersonal skills to build and maintain relationships with a wide range of people during the assurance review process, even when conveying difficult messages.
A flexible and adaptable approach to change and will support others to respond in a similar way
A flexible and adaptable management style with experience of developing yourself and others
Professional Security Qualifications such as CISA, CISM, CRISC preferable
For more information about the relevant additional checks for this role please contact the hiring manager.
We are an equal opportunity employer and are committed to creating a diverse environment.