Chief Information Security Office-Strategy, Programs & GRC AVP

Introduction:

Established in 1912, Bank of China is one of the largest banks in the world, with over $3 trillion in assets and a footprint that spans more than 60 countries and regions. Our long-term outlook, institutional weight and global breadth provide our clients with a stable and reliable financial partner, whether in Corporate or Personal Banking or our Trade Services, Commodities, Financial Institutions and Global Markets lines of business.

Overview:

This incumbent will provide Strategy, Programs, Governance, Risk and Compliance functions as required to fulfill BOCNY information security program requirements. This incumbent will provide Strategy Coordination, CISO Projects Management, Training & Culture, Metrics & Reporting, Governance, Risk Assessments and Compliance functions as detailed below.

Responsibilities:

• Establish and maintain Information Security policies and procedures
• Ensure CISO roles and responsibilities are clearly delineated and documented to ensure efficiency, create synergies and ensure TISR is being properly managed across first and second lines
• Periodically refresh and update TISR controls guidance in relevant policies and supporting procedures with detailed implementation guidance
• Develop, monitor, and track CISO policy adherence measures and metrics

• Coordinate Information Security strategy in alignment with the Bank's strategy
• Maintain strategic initiatives tracking and associated KRIs to track progress and execution of the objectives
• Conduct quarterly strategy reviews with the CISO team to ensure alignment and momentum continue. Adjust strategy as necessary
• Provide end-to-end project management function for all CISO led projects
• Manage all CISO programs, including but not limited to: Information Security Program & Training & Culture Program

• Establish and enhance a TISR framework that consists of the appropriate components to effectively manage TISR
• Conduct risk assessments of TISR for Projects, Third-Party, New Activities and Applications
• Develop and execute an TISR annual work plan of risk identification, assessment, and control evaluation and testing activities
• Review and contribute to the development and maintenance of the taxonomy for Risk, Process and Controls for TISR domains.
• Catalog and oversee remediation of TISR issues include those arising from Audit and Regulatory exams, ITRM deep dives, root cause analyses and control testing
• Prepare and submit Audit Requests for evidence
• Anticipate audit requests and prepare comprehensive approach to for CISO policy and standards and associated implementation
• Prepare response evidence for IT/IS related regulatory exams
• Recommend changes to policy, process or procedures to align with OCC and other federal guidelines and regulations
• Evaluate and provide evidence of compliance for BOCNY Branch
• Liaison with LCD/RAO/IAD to ensure collaboration and partnership so that CISO can meet regulatory IT/IS requirements

• Manage all metrics and reporting for CISO

Qualifications:

• Bachelor’s degree in Business, Computer Science, Management Information Systems, Engineering, Mathematics, or related field is required
• Minimum 5 years of work experience in Financial services Risk Management, Audit, IT/IS Operations, or other relevant functions
• Minimum 3 years of experience in developing and executing IT/IS Risk programs, projects, and policies
• Minimum 1 year of experience working with US Banking Regulations, financial industry standards, and industry standard IT/IS Risk Frameworks
• Strong program, frameworks, project management development, implementation, and maintenance skills
• Sound and practical IT/IS risk management and program knowledge
• Familiarity with IT/IS Risk Management regulations, standards, and frameworks including NIST, ISO27002, FFIEC Guidelines, etc.
• CISSP/CRISC/ or IT related certifications preferred

Pay Range

• USD $65,000.00 - USD $150,000.00 /Yr.