Position Summary
Responsible for the 2nd line of defense in technology risk related matters under 3 tiers of risk defensive model, to monitor and review the established control mechanisms and resources for execution in Head Office, China, overseas branches and significant subsidiaries in accordance with the Enterprise Risk Management (“ERM”) and Cybersecurity Fortification Initiative (“CFI”) frameworks.
Responsibilities
Ensure that the technology risk management framework, policies and control procedures are adequately implemented
Regularly review the relevant policy and manual for users and IT staff
Ensure cyber risk management function is properly performed, e.g. cyber risk identification and assessment, protection and detection for cyber incident, review and report of significant discrepancies from cyber-related risk assessment
Review and provide advice on products and system design, control procedures and risk indicators from technology risk perspectives
Provide advice for root cause analysis and remediation for incidents and issues identified
Maintain and monitor the risk profile on a regular basis
Review the risk control for third parties and cybersecurity
Review the risk controls for system resilience and recovery in support of operational resilience
Undertake the oversight of the Bank’s all branches and subsidiaries in the Group
Review project documents to ensure SDLC is being followed
Ensure regular trainings are provided to staff members and ensure continuing training and skill development for cyber security staff are in place
Comply with all applicable regulations, rules, codes, guidelines and standards set by regulators and the Bank, and carry out duties with high integrity
Requirements
University graduate, preferably major in Computer Science related subjects or equivalent
Possess certification in CISSP/CISA as required by Enhanced Competence Framework (“ECF”) issued by the HKMA
Ideally 8-12 years’ work experience in information security, technology risk, or IT audit
Sound knowledge in regulatory requirements related to information security in banking sector
Sound knowledge in cryptographic techniques, firewall/network, DLP, APT, DDoS, IAM (identity and access management), vulnerability management, Cloud, etc.
Familiar to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2), MAS, PCI-DSS, SWIFT-CSCF etc.
Good communication skills and risk awareness
Strong analytical mindset; knowledge on artificial intelligence, data governance and controls is advantageous
Good command of both spoken and written English and Chinese, fluent in Putonghua is preferable.