Description
Job Summary The IT and InfoSec Operational Risk Officer within the second line of defense Operational Risk organization is responsible for the independent oversight of front-line Information Technology (IT) and Information Security (IS) units to socialize risk concepts, frameworks and promote the organizations' risk culture, including education and training. The IT and InfoSec Operational Risk Officer must adapt previous experience and industry leading practices to fit Northwest. The position also partners with functional and operational leadership in the development of risk mitigation plans, consistent with the Bank's enterprise risk management framework. The role will be an integral part of a risk management team that encourages creativity, leadership, and influence. The role is expected to have a significant impact and influence in bank-wide strategic decision-making, and to support our mission through risk-based and data-driven decision making. Essential Functions
- Provide companywide oversight and governance over information security and information technology risks
- Help mature and execute an IT and IS risk management framework using industry leading practices (e.g., NIST CSF, COBIT, SCF) taking into consideration regulatory expectations
- Independently assess risks and drive actions to address the root causes that persistently lead to significant residual operational risk by challenging both historical and proposed practices
- Leverage the current ERM framework and partner with first-line IT and IS teams to further mature IT risk assessments, document controls, identify gaps, and create action plans for critical IT and IS processes, including validation and testing to ensure IT risk programs are implemented and executed appropriately
- Help refine the risk register for IT, IS and operational risk competencies, as well as help create additional ones as appropriate
- Provide oversight of IT/IS Risk and Control Self-Assessment (RCSA) activities, and monitoring routines (Third Party, Audit, Issue Management, Remediations, etc.)
- Make recommendations for remediation of issues and continuous monitoring through the creation of metrics
- Review processes and controls against leading practice and industry frameworks, identify gaps in design and execution, and communicate issues and make recommendations
- Perform independent risk assessment of the first line, inclusive of emerging risks
- Review and challenge of first-line risk acceptances
- Identify trends, themes, tendencies that indicate emerging IT/IS risks by relying on mining trends in relevant metrics, loss data and external events and effectively communicate learnings to Business to drive necessary responses and action
- Complete risk assessments of critical technology implementations (e.g., Cloud Computing, hybrid infrastructure models, and Active Directory)
- Provide analysis and reporting of Northwest's IT and IS risk profile, and consultative advice to Northwest's Management Team
- Influence appropriate risk management prioritization by the first line to enable the business to meet strategic objectives, while meeting IT and IS risk program expectations
- Ensure compliance with Northwest's policies and procedures, and Federal/State regulations
- Navigate Microsoft Office Software, computer applications, and software specific to the department to maximize technology tools and gain efficiency
- Work as part of a team
- Work with on-site equipment
Education + Experience preferred
- Bachelor's degree in Information Technology or related degree
- 12 - 15 years of banking or regulatory experience
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Risk and Information Systems Control (CRISC)
- Certified Information Systems Security Personnel
#LI-EK1 #LI-Hybrid
Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)
|