Opinions on this it security role, spec attached.

chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
Just looking to get some feedback about the job spec. anyone doing this sort of role at the moment?
It has the title of it security manager but i think its more operational...

Comments

  • anthonxanthonx Member Posts: 109 ■■■□□□□□□□
    Is it possible to just copy and paste the text in the text box here? I don't want to sound alarming but with the recent news on malware attachments, I'm a bit cautious nowadays. Thanks!
    AnthonX
  • PC509PC509 Member Posts: 804 ■■■■■■□□□□
    Copy/Paste from document:



    Summary of the role’s main purpose

    To manage the operational security of IT provided services, delivering a robust assurance process across the Bank’s outsourced IT estate. Positively challenge the effectiveness of IT Security operational processes across the IT supply chain, helping to ensure that the end-to-end IT environment operates within the Bank’s policies, standards and risk appetite. To manage the IT Security control testing and supplier assurance regime.


    Principal accountabilities

    · Set the requirement for IT Security specifications for the Bank across the end-to-end IT supply chain
    · Review and approve Change designs to ensure appropriate IT Security controls are built in
    o Review pre-live changes to ensure appropriate IT Security controls have been implemented as agreed at design stage
    · Develop, maintain and execute an IT Security Testing and assurance plan which evidences effectiveness of controls for the end-to-end IT Supply chain including:
    o Infrastructure & Application currency;
    o IT Security Controls;
    o Vulnerability & Penetration testing;
    o Service Continuity & Disaster Recovery;
    o Privileged Access Management;
    o Data Security;
    o Operational IT Security processes
    · Manage an IT Security actions and remediation register, ensuring visibility of activity and that all actions and remediation activities are driven to closure according to agreed timescales
    · Manage the development and maintenance of an effective Role Based Access Control (RBAC) Framework for the Bank
    o Manage and control User Access provisioning within the RBAC control framework
    · Ensure delivery of appropriate MI/reporting and analysis for all aspects of IT Security
    · Responsible for the preparation of regular and ad-hoc IT Security reports/packs for the IT Department, together with the preparation of IT Security certification and policy attestation packs
    · Work collaboratively with the second/third lines of defence and Supplier Assurance team to ensure synergies in the IT Security control testing and supplier assurance approach
    · Develop and maintain a strong level of capability in relation to the Bank’s Risk Management Toolset
    · Provide IT Security Management technical support and assistance using own judgement in risk analysis and management, escalating more complex queries
    · Assess and develop the IT department’s capabilities in IT Security to close skill gaps with an appropriate training and education plan
    · Responsible for the continuous improvement of the IT Security Management methodology and approach
    · Proactively identify and interpret changes in regulatory requirements, legislation and industry best practice that may affect the Bank and understand the impact these changes may have on the IT Security management regime
    · Deliver analysis/reviews on individual assignments or well-defined tasks on larger projects



    Skills, knowledge and experience

    · Educated to Degree level and or extensive experience of working in an IT Security environment, preferably within the financial services industry.
    · Good operational understanding of the ITIL (IT Service Management) framework, COBIT and ISO 27001.
    · CISM or CISSP certification beneficial
    · Awareness of the benefits and constraints of operating in an outsourced IT supplier management framework and operating model.
    · Excellent organisation skills, including the ability to work under pressure and meet deadlines.
    · Ability to work using own initiative.
    · Strong written and verbal communication skills and the ability to communicate and challenge at all levels.
    · Proven analytical skills, judgement and reasoning ability.
    · Excellent knowledge of the relevant procedures, projects and services in own area of responsibility, including interpretation and application of best practices, and able to recognise a range of options and justifiably propose a recommended course of action.
    · Strong relationship management skills.

  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    It's probably a smaller security department. If it was a true management role it would have something about managing a team, leading projects, etc.
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    thanks pc509, basically they are a bank that have their it security outsourced and i am expected to manage/oversee 3rd party vendors. Are 3rd party vendors difficult to deal with? Apparently i will be picking up the phone alot to deal with any issues.
  • leboratoricalleboratorical Member Posts: 46 ■■■□□□□□□□
    It doesn't feel very hands-on. It feels more like you are doing something between compliance, strategy, vendor management, and consulting, which is what a lot of Information Security management appears to be. I could be wrong, but that's how it feels to me.
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    just an update...i was successful icon_smile.gif you are right its not a hands on role. Their it security is outsourced so its more overseeing the controls that are being put in place etc. The job title is not bad either, will be good for the resume icon_smile.gif
  • leboratoricalleboratorical Member Posts: 46 ■■■□□□□□□□
    Well, congratulations! It sounds like it will be a great learning experience, as well as something to stand out on the resume. The one thing I'd suggest is to align yourself with the company goals/strategy, and possibly to study something like CISM/CISA (the first one first).
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    yeah i hear you, hoping its not too over my head! Anyone here doing a similar job?
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    eddo1 wrote: »
    anyone?

    I'm familiar with the role. Some of my counterparts at customers and assessors are in that role. And I've had people on my staff with that role. Looks like an third-party technology risk assessor and vendor risk manager role. Any specific questions?
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    hi paul, what do you think are the most important skills to bring to a role like this? Can it get tetchy dealing with third party vendors who are implementing your it security? as i will be overseeing the controls being put in place i imagine there could be a bit of reluctance on their part to do as i say so to speak.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    eddo1 wrote: »
    ... what do you think are the most important skills to bring to a role like this?
    Based on the summary of the role, if I had to guess. This is likely a process management role. So - the type of knowledge necessary are typically very broad versus depth. I would imagine that the ideal candidate would need to have strong program management organizational skills - so that means keeping track of knowing when risk assessments need to be performed on vendors and how to risk-rank them, etc.. Internal communications and championing for the goals of vendor risk management will likely also be necessary. The job desc mentioned end-to-end - so that could mean working across procurement, legal, and end-user requestor boundaries.

    Understanding the risk tolerance of the businesses that you support will also be important. The description indicated that it's a bank so if it's a decent size bank and this is an enterprise role - than you would need to learn to deal with multiple internal businesses like lending, commercial, credit card, investment management, etc - each of those businesses could have different risk characteristics.

    And if the bank does business in multiple countries - you may need to be familiar with the various privacy regulations like GDPR, various US state laws, on the handling of consumer data. And how it applies to bank customers. US law is sectorial in nature but that's not true in all countries. And banks use external processors - so understanding how those processors handle the bank customer data is crucial. Remember - you can't outsource the risk - as bank regulators like to remind the banks.
    eddo1 wrote: »
    Can it get tetchy dealing with third party vendors who are implementing your it security? as i will be overseeing the controls being put in place i imagine there could be a bit of reluctance on their part to do as i say so to speak.
    Vendor risk at a program level is not likely to get into the nuts and bolts of an implementation. For example - if you are dealing with a SaaS provider that is not handling customer information - you may find it adequate to just read their SOC report. But if it's a provider of a critical function - than an onsite visit may be required. As for reluctance on the part of a provider - hopefully whoever is currently doing this function understands how to review vendor agreements and have inserted the relevant rights to inspect clauses. That's kinda IT vendor risk management 101. Generally speaking - it's better to perform due-diligence before the contract is signed icon_smile.gif

    Is this a job that you are applying for? If so - good luck. And let us know how it goes.

    Feel free to ask any more questions.
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    Thanks Paul some good info there, i start this new role next week so very excited.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Congrats - hope you enjoy the new job.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @eddo1 - a couple of links in no particular order that you may find useful for your new job since you are working for a bank. You may already be familiar with the material - but in case you are not:

    https://www.pcicomplianceguide.org/pci-faqs-2/
    Service Organization Control (SOC) Reports - AICPA
    http://sharedassessments.org
    Certified in Risk and Information Systems Control - IT Certification - CRISC | ISACA

    Since you work for a bank - you should probably care about the FFIEC IT Examination booklets if you aren't already familiar with them

    FFIEC IT Examination Handbook InfoBase - IT Booklets
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    great thanks, if you think of any more relevant ones post them here icon_smile.gif
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    building on what Paul has already said, first thing you want to do after getting through new hire training is obtain a total list of all vendors, preferably one which lists what each vendor has access to of your new company's data/network/etc. Having spent a lot of time in this role within the FS sector, I can tell you the next thing you want to do after you have that list is determine if your company is currently risk rating vendors and what criteria are being used to create vendor tiers.

    As Paul said, if they dont have access to critical (PCI /PII / PHI / IP) data and your spend is low, reading their SOC I report annually may be all the review you need. However, for vendors with access to critical data ( tier1 vendor most likely), you are most likely want to go onsite and do a security/risk assessment at least annually a long with supplemental questionnaires on a quarterly or semi-annual basis. You will want to review a lot of the MSA/SOWs for these vendors to see what you are contractually allowed to review. I know our off site vendor contracts are much more stringent than onshore. Offshore are contractually required to adhere to our security policies and procedures. Onshore, not so much due to US laws

    Its a fun role if you like traveling and meeting with people... it can be hair pulling frustration level as well when you have tier 1 vendors that dont get basic security hygiene / posture
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    In an 18 month period from 2013-14, I was in India 3 times for 3-4 weeks each trip, plus in at least 20-30 states doing vendor reviews. This was just our tier 1 vendors... we did desktop reviews of tier 2 and lower vendors, requesting documentation such as their SOC report, proof of security policies, bc/dr etc
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    Thanks jcundiff, what cert material would be good to get familiar with for this type of role? Im thinking CRISC would de good? Have the pdf docs.
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    Crisc, cisa, cissp
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    eddo1 wrote: »
    what cert material would be good to get familiar with for this type of role?
    Along with what @jcundiff mentioned - check out the SharedAssessments certs - it's geared toward third-party risk.
  • chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
    thanks paul, i see the Shared Assessment certs are CTPRP, do you know where i could get/buy the books for this cert? Had a quick look but not seeing anything. Also seems to be popular mainly in the US.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    eddo1 wrote: »
    ... do you know where i could get/buy the books for this cert? Had a quick look but not seeing anything. Also seems to be popular mainly in the US.
    I think you can only participate if your employer is a member. I recall that they are an association started by banks and other financial services orgs but have expanded into other industries.
Sign In or Register to comment.