Under immediate supervision, the Information SecurityAuditor contributes to the mission of the office of the CISO by promoting and ensuring an effective control environment through audits, awareness and education and consultation services. . The Information SecurityAuditor will lead and participate in audits of security related policies, processes and controls to ensure the adequacy of and compliance with corporate, regulatory and legal requirements.
ESSENTIAL DUTIES AND RESPONSIBILITIES
- Responsible for verifying compliance with security policies, standards, systems development methodology and other applicable industry accepted computing practices; performing risk assessments and pre-implementation reviews to determine security and compliance risks and opportunities.
- Document audit findings and work performed; following up on past findings for timely and adequate remediation; and partnering with the Business Lines and Internal Service Providers to assist with the approach of testing other IT dependent controls.
- Lead team efforts and as a result will be responsible for the logistics, planning and scoping of scheduled audits.
- Manage audit program within the context of Information SecurityRisk framework to include risk assessment, scope of work to be performed, staffing and time requirements
- Develop strong understanding of internal policy, process and controls
- Effectively create control testing strategies and execute against strategies
- Provide quality review of staff work papers and performance, communications with IT management.
- Responsible for technology and business process assessments, risk identification, use of technology solutions to facilitate the review of controls and formulation of clear recommendations for management’s consideration.
- Manage third party assessments including Pen Testing, Red/Purple Team Testing
- Review and analysis of internal vulnerability scans
- Assess the reliability and integrity of IT and operating information and the means used to identify, measure, classify, sand report such information.
- Ensure audit work papers are prepared according to established department guidelines and professional standards.
- Provide routine updates to the CISO and other Information Security management regarding the progress of assigned audit tasks, significant issues identified, suggested practical business solutions and completion status.
- Provide guidance to outsourced resources to ensure a timely and efficient completion of audits.
- Present findings or other relevant information to key stakeholders with respect to the effectiveness and adequacy of risk management, governance, and internal control procedures.
- Develop and maintain effective interpersonal relationships with staff and management.
- Complete special projects at the direction of the CISO.
- Maintain high level of integrity and professionalism to handle sensitive and confidential data/materials/information received and/or reviewed with business lines
- Some travel by car and/or air in conjunction with local, regional and/or national travel, may be required.
- Assume additional duties as they arise including policy and process development, documenting continual improvement opportunities.
- Experience in auditing applications, interfaces, system infrastructure, information processing and general IT controls; including such areas as:
- Application security management (user entitlements, authentication, accountability, data protection)
- System architecture and design (availability, performance, scalability, data integrity)
- Technology operations (change management, data backup and retention, performance and capacity management)
- Technology governance (technologyrisk management, policies and procedures, rules, regulations, intellectual property)
- Strong working knowledge of standard concepts and practices of internal auditing, particularly the Institute of Internal Auditor (IIA)’s Standards for the Professional Practice of Internal Auditing and the Information Systems Audit and Control Association's Standards for Information Systems Auditing (ISACA)
- Analytic and Audit Skills - Experience with data analytics and data mining tools, reviewing audit work papers and using an automated work paper solution a plus
- Strong interpersonal and communication skills.
- Team player with demonstrated track record in self-initiative and time management. Highly organized and detail-oriented with ability to set priorities and to respond to changing demands from multiple sources in a fast-paced environment. Ability to follow through, meet deadlines, anticipate requirements and build relationships.
- Demonstrated ability to work with a minimum amount of supervision.
- General understanding of banking and financial services industry practices and related rules and regulations preferred.
- Proficiency using software applications including spreadsheets, word processing and presentation software (Microsoft Office, Visio, etc.).
EDUCATION AND/OR EXPERIENCE
(The education and/or experience as necessary to perform the job satisfactorily.)
- BS/BA degree in Management Information Systems/Information Technology, Computer Science, or Business (Accounting, Finance, or related) B.S. or B.A. in Computer Science or related field
- 3+ years’ experience in IT Audit, IT Compliance
LICENSES AND CREDENTIALS
- CISA/CRISC, CITP designation or equivalent