Senior member of the Control Assurance team reporting to the Information Security Control Assurance Testing Manager.
May lead or support the independent comprehensive assessments of the management, operational, and technical security controls and employed within processes or IT systems to determine the overall effectiveness of the controls.
Tasks / Responsibilities
Contribute to the planning of control tests, including risk identification, sampling, selection of controls, testing methods and reporting criteria.
May lead control testing teams, to perform design and operating effectiveness testing of information security controls, including;
fieldwork, testing and reporting activities.
Provides peer review for control testing documentation produced during testing and act as Quality Assessor for tests they may lead, ensuring the accurate and timely completion of all the required control testing documentation.
Will identify and document control deficiencies including root causes, risk descriptions, consistent issue ratings and recommendations for improvement.
Is involved in creating and presenting reports of control testing findings to the testing stakeholders, including the socialization of any findings.
Maybe the primary contact with business stakeholders for the controls tests they lead, and is responsible for the quality of control testing engagements and stakeholder communications including regular status updates.
Contributes to the efficiency of the control testing program, by ensuring KPIs are measurable, that testing materials are standardized, and stakeholder feedback is captured to facilitate continual improvement.
Experience / Knowledge / Skills / Abilities / Qualifications
3+ years’ experience performing IT Audit or Information Security control assessments.
Bachelor’s degree in computer science, management information systems or relevant field or equivalent demonstrable experience.
CISA, CISM, CISSP, PCI QSA, ISO Lead Auditor or comparable certifications preferred.
Knowledge of cybersecurity principles and organizational requirements relevant to confidentiality, integrity, availability, authentication and non-repudiation.
Knowledge of governance, risk, and controls principles
Good collaboration and interpersonal skills
Skills in verbal and written communication
Skill in preparing plans and related correspondence
Skill in determining the protection needs of information systems, processes and networks
Skill in conducting reviews of systems
Skill in performing impact / risk assessment
Skill in performing root cause analysis
Skill in managing expectations and demonstrating commitment to delivering quality results
Ability to apply critical reading / thinking skills
Ability to answer questions in a clear and concise manner
Ability to ask clarifying questions
Ability to facilitate small group meetings
Ability to collect, verify, validate and analyze test data
Ability to translate data and test results into evaluative conclusions
Ability to exercise judgement when controls are not well defined