[ref. e92917024] Chief Information Security Office-Strategy, Programs & GRC Associate

Introduction:

Established in 1912, Bank of China is one of the largest banks in the world, with over $3 trillion in assets and a footprint that spans more than 60 countries and regions. Our long-term outlook, institutional weight and global breadth provide our clients with a stable and reliable financial partner, whether in Corporate or Personal Banking or our Trade Services, Commodities, Financial Institutions and Global Markets lines of business.

Overview:

This incumbent will provide Strategy, Programs, Governance, Risk and Compliance functions as required to fulfill BOCNY information security program requirements. This incumbent will provide Strategy Coordination, CISO Projects Management, Training & Culture, Metrics & Reporting, Governance, Risk Assessments and Compliance, Data Privacy functions as detailed below.

Responsibilities:

Includes but not limited to:

• Coordinate Information Security strategy in alignment with the BOCNY branch strategy
• Maintain strategic initiatives tracking and associated KRIs to track progress and execution of the objectives
• Conduct quarterly strategy reviews with the CISO team to ensure alignment and momentum continue Adjust strategy as necessary
• Provide end-to-end project management function for all CISO led projects

• Manage all CISO programs, including but not limited to:
• Information Security Program
• Training & Culture Program
• Security Training
• Phishing Campaigns
• Tabletop Exercises
• Data Privacy Program

• Establish and maintain Information Security policies and procedures
• Ensure CISO roles and responsibilities are clearly delineated and documented to ensure efficiency, create synergies and ensure TISR is being properly managed across first and second lines
• Periodically refresh and update TISR controls guidance in relevant policies and supporting procedures with detailed implementation guidance
• Develop, monitor, and track CISO policy adherence measures and metrics
• Provide all administrative functions for the Information Security Committee and all its sub-committees

• Establish and enhance a TISR framework that consists of the appropriate components to effectively manage TISR
• Conduct risk assessments of TISR for Projects, Third-Party, New Activities and Applications
• Develop and execute an TISR annual work plan of risk identification, assessment, and control evaluation and testing activities
• Review and contribute to the development and maintenance of the taxonomy for Risk, Process and Controls for TISR domains
• Catalog and oversee remediation of TISR issues include those arising from Audit and Regulatory exams, ITRM deep dives, root cause analyses and control testing
• Track observed control gaps and root causes and annually refresh CISO policy and procedures to reflect new and enhanced controls

• Prepare and submit Audit Requests for evidence
• Anticipate audit requests and prepare comprehensive approach to for CISO policy and standards and associated implementation
• Prepare response evidence for IT/IS related regulatory exams
• Recommend changes to policy, process or procedures to align with OCC and other federal guidelines and regulations
• Evaluate and provide evidence of compliance for BOCNY Branch
• Liaison with LCD/RAO/IAD to ensure collaboration and partnership so that CISO can meet regulatory IT/IS requirements

• Develop and implement strategies to ensure compliance with relevant privacy laws and regulations
• Stay up-to-date with changes in data privacy legislation and industry best practices
• Assist in the development and maintenance of privacy policies, standards and procedures
• Provide oversight and monitoring of privacy risk assessments by the FLUs
• Ensure all relevant processes reflect privacy requirements and comply with laws and regulations
• Plan and implement privacy training programs and communications
• Identify and assess privacy risks within the organization

• Manage all metrics and reporting for CISO
• Operational
• Executive & Board
• Budget & Headcount
• Dashboards

Qualifications:

• Bachelor’s degree in Business, Risk, Data, Computer Science, Management Information Systems, Engineering, Mathematics, or related field
• Minimum 3 years of work experience in Financial services Risk Management, Audit, IT/IS Operations, Data Privacy or other relevant functions
• Minimum 2 years of experience in developing and executing IT/IS Risk programs, projects, and policies
• Minimum 1 year of experinece working with US Banking Regulations, financial industry standards, and industry standard IT/IS Risk Frameworks
• Good understanding of regulatory requirements including FFIEC, GLBA, NIST
• Knowledge of Information security and cyber security best practices
• Knowledge of systems administration such as Windows Server, Active Directory management, Firewall, UNIX system, network architectures, etc.
• Knowledge of security tools such as SIEM, DLP, XDR, EDR, Web Filter etc.
• CISSP/CRISC/ or IT related certifications preferred

Pay Range

• USD $42,000.00 - USD $90,000.00 /Yr.