Compliance & Operational Risk Manager - Information Security

Bank Of America Corporation Charlotte , NC 28201

Posted 2 months ago

Job Description:

Specific Job Description

The Operational Risk and Compliance oversight will have a broad focused across the areas of; threat prevention, network & infrastructure security, application security, patch management, data loss prevention and incident management. The position will engage with subject matter experts within the Global Information Security organization, with a focus on detecting, remediating and preventing operational risk across the organization, including; self-inspection programs; standards, policy and rule governance; and program execution in support of the Bank of America Risk Framework. Coverage includes activities associated with:

Monitoring identify, analyze, and provide informed risk challenges on current and emerging trends within the cyber security threat landscape. Monitor key metrics and programs. Participate in governance routines, review of information and key reports / metrics and appropriately challenge.

Assessment lead assessment activity related to current and evolving security risks that have the potential to impact the company and/or its customers. Influence and challenge senior executives related to control environments. Evaluate the performance, capability and/or coverage of processes, risks & controls and determining the scope and prioritization of risks, processes and controls to review and test.

Testing - Create and review test results and open issues as appropriate upon test failure.

  • Create and manage a global coverage plan which defines the scope and focus of the second line's risk management activities.

  • Helps establish, monitor and report on enterprise risk tolerance metric(s) that are translated and connected to relevant business metrics (Key Risk Indicators).

  • Monitor regulatory environment and participate in industry forums to identify areas of focus and conduct benchmarking.

  • Create and maintain a regulatory inventory, communicate regulatory changes to and engage the FLU/CF in assessing impacts of regulatory changes for enterprise area of coverage.

  • Develop and maintain relevant policies or review relevant FLU / CF policies to ensure they reflect regulatory and operational risk requirements.

  • Advise and direct business leaders through the FLU/CF C&OR officers to ensure that regulatory requirements are addressed in their respective procedures and controls so that their daily activities operate in a compliant manner.

  • Conduct and contribute to annual and targeted risk assessments.

  • Review and analyze aggregate results of FLU/CFs' Risk and Control Self-Assessments (RCSA) for EAC-specific themes and trends.

  • Create and manage monitoring and testing coverage plans and related metrics.

  • Monitor and test the effectiveness of the FLU and CF's processes and compliance and operational risk controls.

  • Identify, aggregate, report and escalate risks, issues and control enhancements and ensure the C&OR officers for the FLU/CF are aware of issues.

  • Review and analyze internal and external losses related to their area of coverage for enterprise-wide themes; escalate concerns or loss exposures as appropriate.

  • Lead or contribute to Scenario Analysis activities to provide a forward-looking estimate of hypothetical operational losses.

  • Execute governance and management routines.

  • Identify regulatory training needs, provide subject matter expertise to support development of training curriculum, and inspect FLU/CF.

  • Advise Risk peers and business leaders in preparations for and participation in regulatory exams and audits. Prepare and participate in EAC-specific exams and audits.

  • Inspect that gap closure plans and commitments made regarding actions in response to Matters Requiring Attention ("MRAs") and other actions are completed.

  • Escalate regulatory relations concerns to EAC C&OR Executive.

  • Ensure Compliance and Operational Risk "owned" issues (i.e., Internal Audit, Regulator and Self-Identified issues) are addressed appropriately and timely.

The EAC Compliance & Operational Risk Manager plans, drives and reviews team deliverables to support consistent quality of activities, processes and outputs. This role may contribute as a manager responsible for providing leadership direction to attract, assess, develop, motivate and retain a team, or may act as an individual contributor.

Provide coverage through risk reviews and assessments to identify opportunities to reduce risks related to information security.

  • Technology experience Network security, application security, database security, IDS configuration and monitory, and supervisory control/data acquisition security

  • Review and challenge security controls and processes.

  • Use subject matter expertise and broad technology experience to provide insight and risk mitigation influence related to businesses processes

  • Conduct forward looking assessments to identify new/emerging info security risks.

  • Effective communication.

  • Information Security and Risk related certifications (CISSP, SANS, CRISC or CPSM)

  • Ability to present technical information to non-technical persons

Required Skills and Qualifications:
7+ years in technology, operational risk and/or information security, of which at least 3 years must include direct experience in operational risk management and/or information security. Broad technical background with understanding of information security technologies, concepts and controls.

  • 2+ years' experience with information security technology

  • Demonstrated knowledge of application and infrastructure architecture

  • Strong ability to self-direct work and area of focus and to established appropriate timelines and execution.

  • Excellent written and verbal communication skills

  • Broad knowledge across many functional business areas

  • Ability to translate complex process, application and technology control gaps into risk

  • Ability to identify issues and control weaknesses

  • Relationship management skills and ability to interface confidently with associates of all levels, including senior executives

  • Ability to influence at all management levels in a complex organization

  • Ability to align against a strategic priority and organize and deliver results

General Job Description

The Enterprise Area of Coverage (EAC) Compliance & Operational Risk (C&OR) Manager is a subject matter expert on specific processes, controls, laws, rules and/or regulations that have enterprise-wide applicability, affecting two or more Front Line Units ("FLU") or Control Functions ("CF"). This role is responsible for the execution of the Compliance and Operational Risk Programs ("CORM Program"), the Global Compliance Enterprise Policy ("GC Policy") and the Operational Risk Management Enterprise Policy ("ORM Policy") for these enterprise). The EAC C&OR manager identifies, escalates and mitigates risks in a timely manner in alignment with the CRM and ORM Programs and the GC and ORM Policies. The role engages with FLU/CF leaders globally through the FLU/CF compliance and operational risk officer (C&OR) teams to independently advise those leaders on effectively managing the risks related to their area of coverage. By executing the CORM and Policies, the EAC C&OR Manager identifies themes and trends, conducts analysis for new and emerging risks and recommends approaches to mitigate these risks. Activities this role performs for their area of coverage include but are not limited to:

Global Risk Management is seeking a technical Information Security Risk professional to provide Operational Risk and Compliance oversight across Global Information Security. The role will play a critical role in the overall coverage of Global Information Security and will provide technical coverage on critical GIS process and controls across the enterprise. The role requires experience and expertise with information security technologies, concepts, tools and controls. The role requires the ability to escalate, debate and challenge significant risks as appropriate.

1st shift (United States of America)

Hours Per Week:

icon no score

See how you match
to the job

Find your dream job anywhere
with the LiveCareer app.
Mobile App Icon
Download the
LiveCareer app and find
your dream job anywhere
App Store Icon Google Play Icon

Boost your job search productivity with our
free Chrome Extension!

lc_apply_tool GET EXTENSION

Similar Jobs

Want to see jobs matched to your resume? Upload One Now! Remove
Operational Risk Officer Application Information Security Risk Management

Wells Fargo

Posted 7 days ago

VIEW JOBS 2/21/2020 12:00:00 AM 2020-05-21T00:00 Job Description Important Note: During the application process, ensure your contact information (email and phone number) is up to date and upload your current resume when submitting your application for consideration. To participate in some selection activities you will need to respond to an invitation. The invitation can be sent by both email and text message. In order to receive text message invitations, your profile must include a mobile phone number designated as "Personal Cell" or "Cellular" in the contact information of your application At Wells Fargo, we want to satisfy our customers' financial needs and help them succeed financially. We're looking for talented people who will put our customers at the center of everything we do. Join our diverse and inclusive team where you'll feel valued and inspired to contribute your unique skills and experience. Help us build a better Wells Fargo. It all begins with outstanding talent. It all begins with you. Corporate Risk helps all Wells Fargo businesses identify and manage risk. The team focuses on several key risk types, including conduct, credit, financial crimes, information security, interest rate, liquidity, market, model, operational, regulatory compliance, reputation, strategic, and technology risk. The group provides leadership, enhances communications, assists with problem identification and solutions, and shares best practices. In addition, the group provides an enterprise-wide view of risk, assists management and our Board of Directors in identifying and monitoring risks that may affect multiple lines of business, and takes appropriate action when business activities exceed the risk tolerance of the company. This role will be part of the broader Information Security Domain Oversight team within the Information and Information Security Risk Management oversight group with a focus on Application Information Security Domain. This function oversees the Front Line's information security controls and independently credibly challenges IS Domain risk decisions. The team reviews the execution of requirements by Information Security Domains (ISDs) to provide and maintain a consolidated view of effectiveness and sustainability for senior management while ensuring alignment to the Risk Management Framework. Specifically, they evaluates the ISDs on information security risks and controls across the enterprise to which the ISDs are held accountable, including policy, policy design monitoring, control design, execution and assurance. Operational Risk Officer – Application Information Security Risk Management We have a new opportunity for a seasoned information security SME within the Information Security Domain Governance team. The person selected for this position will be responsible for developing and implementing an oversight program over Application Information Security Risk Management Domain. The individual will be required to provide their independent assessment over topics including Software Usage, Secure Software Development Lifecycle Activities, and Application Attack Protection etc. The person will oversee Application Information Security Risk Management domain capabilities including but not limited to Software security training, Secure Development Life Cycle, Security Defect Remediation, Independent testing including Pen and Application Security testing, etc. Additionally, this individual will work closely with the Information Security Control Assurance and Information Security Oversight managers in addition to the broader second line Technology and Oversight group to help develop a complete picture of enterprise oversight of the Application Information Security Risk management program. Outcome of these activities would result in written opinions, credible challenges, and define expected remediation. The role will be considered a technical SME in helping design and oversee Application ISRM Domain and will cover aspects including risk, governance and maturity. Required Qualifications * 7+ years of experience in risk management (includes compliance, financial crimes, operational risk, audit, legal, credit risk, market risk, IT systems security, business process management) or 7+ years of financial services industry experience, of which 5+ years must include direct experience in risk management Desired Qualifications * Virtual leadership experience with ability to effectively drive results, provide feedback/direction, and manage and build relationships with leaders and team members in a geographically dispersed team environment * Strong relationship development skills * Strong analytical skills with high attention to detail and accuracy * Excellent verbal, written, and interpersonal communication skills Other Desired Qualifications * 5+ years of information technology or information security experience in one or a combination of the following: application security, infrastructure security, cyber defense, vulnerability management or system development and testing * Advanced Information Security technical skills with understanding of systems development lifecycle and related information security practices * Demonstrated operational risk and information security risk management experience, including information security assessment, mitigation solution design and implementation * Ability to report findings and develop point of view or credible challenges to influence Application ISRM Domain Owner and Leadership to mitigate risk or improve domain governance and maturity * Knowledge and understanding of information security industry standards, framework and financial industry regulations (FFIEC, NIST, ISO, etc.) * One or more of professional certifications: Certified Information Systems Security Professional, (CISSP), Certified in Risk and Information System Control (CRISC), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certification in Control Self-Assessment (CCSA), or other risk management discipline certifications Job Expectations * Ability to travel up to 10% of the time Disclaimer All offers for employment with Wells Fargo are contingent upon the candidate having successfully completed a criminal background check. Wells Fargo will consider qualified candidates with criminal histories in a manner consistent with the requirements of applicable local, state and Federal law, including Section 19 of the Federal Deposit Insurance Act. Relevant military experience is considered for veterans and transitioning service men and women. Wells Fargo is an Affirmative Action and Equal Opportunity Employer, Minority/Female/Disabled/Veteran/Gender Identity/Sexual Orientation. Wells Fargo Charlotte NC

Compliance & Operational Risk Manager - Information Security

Bank Of America Corporation