Listing Description
Build and maintain the cybersecurity control library composed of global and regional controls aligned against the NIST Cybersecurity Framework and utilizing NIST 800-53 controls as a basis.
Establish and maintain the associated test scripts and meta data for the controls as well as the control mapping to laws, regulations, and industry standards. Perform quality review of requests for test script changes to ensure proper rigor is consistently in place across all regions. Assist with conducting the annual inherent risk assessment for each region and globally that is mapped to the controls.
Facilitate the annual Control Owner attestation process.
Maintain the control self-testing procedures which address testing of control operating design and effectiveness. Identify Control Owners and Testers for each control, provide training, facilitate the self-testing process via a defined schedule, and track status of testing progress.
Provide first level quality assurance of the testing documentation, evidence, and other supporting material to confirm the test conclusion is properly supported. Confirm self-test was completed in accordance procedure (e.g. population was complete for each control and proper sample selection).
As assigned, provide support to regional CAP teams (e.g. Japan CAP) regarding CAP processes. This isinclusive of second level quality assurance for control tests that has been through the first level QA process in other regional CAP teams.
Provide QA results to stakeholders to obtain agreement. Present and discuss any portions of the test and associated documentation that was not executed correctly, accurately, or completely.
Collect remediation plans from Control Owners where control gaps have been identified, track progress of remediation, and determine when control is ready for re-test.
Assist with facilitation of a robust, annual maturity assessment of the Global Security program against the NIST Cybersecurity framework either via the oversight of an independent assessment conducted by a third party or via self-assessment in alignment with CAP’s procedures. I
Provide recommendations for control enhancements and identify testing automation opportunities.
Identify integration points into enterprise processes as well as with disciplines that are outside of the security department but have security related responsibilities to provide holistic view (i.e. Asset Management, Patch Management, Application Development, Architecture, Infrastructure, Third Party Risk Management, and Physical Security,).
Communicate to leadership the results of assurance testing and changes affecting the organization’s Information Security posture. Apply the organization’s risk tolerance and risk management approach in evaluating the security posture, and escalate matters of significance.
Interface with designated stakeholders and subject matter experts that own Cybersecurity controls and educate them on their control related responsibilities.
Enhance and maintain the global security capabilities catalog to ensure accuracy and relevancy based on changes in regulatory and framework methodologies.
Partner with GRC team to effectively utilize GRC solution for assurance related activities and
reporting.
Assist in developing global security strategies and plans to support the Cybersecurity Assurance Program
Performs other duties as required.ducation & Experience
Bachelor's Degree in Computer Science, business administration or a related field, and five to six years of information technology security experience, or an equivalent combination of education and experience.
Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP) preferred
Job Knowledge & Skills
Excellent verbal and written communication skills.
Experience applying industry-recognized security standards for Information Security, Physical
Security, Business Continuity, Disaster Recovery, Crisis Management, and IT (Asset Management, Configuration Management, Vulnerability Patching)
Knowledge and experience in the following:
Technology Risk Management concepts and control
Managing to regulatory requirements for protecting information assets
Global technology organizational concepts
Principles and methods of all information security disciplines
Knowledge of regulatory protective requirements of personal private information (i.e. FSA,
FISC, HIPAA, GLB, SEC, and financial integrity under Sarbanes-Oxley, etc.)
Knowledge of and in-depth experience in the ability to apply industry-recognized security
Standards
Core Competencies
Action Oriented, Customer Focus, Adaptability, Listening, Ethics and Values, Integrity and Trust
Functional Competencies
Business Acumen, Decision Quality, Negotiating, Strategic Agility
Listing Details
- Citizenship: Us Citizen
- Incentives: Bonus
- Education: Bachelors Degree
- Travel: Travel 25
- Telework: Full Telecommute