Job Type: Full time
The Info Sec Prof Lead Analyst is an intermediate level position responsible for driving efforts to prevent, monitor and respond to information/data breaches and cyber-attacks. The overall objective of this role is to ensure the execution of Information Security directives and activities in alignment with Citi's data security policy.The Chief Information Security Office (CISO) Governance, Risk & Control (GRC) organization provides thought leadership and first line-of-defense governance oversight in the development, delivery, and maintenance of Citi’s Information Security Program to ensure that the assets and data of Citi and its clients are properly protected. The Policy, Risk & Control group within the GRC organization is responsible for all CISO control related matters (i.e. Regulatory Exams, Internal Audits, SOC1, Managers’ Control Assessments, Client queries, Issue Management, Capability Assessments, etc.)Responsibilities:Work with business unit point persons to perform Cybersecurity Inherent Risk Assessments based on the FFIEC Cyber Assessment Tool Inherent Risk Profile.Collect domain-level assessment results and work with control owners to perform enterprise-wide cybersecurity Control Effectiveness Assessments based on the Cyber Risk Institute ProfileLeverage the control effectiveness and maturity ratings in the Cyber Risk Institute Profile to deduce the Residual Risk Ratings for the 39 inherent risk areas in the FFEIC Cyber Assessment Tool Inherent Risk Profile.Perform ad-hoc cybersecurity capability /maturity assessments, frequency and impact analysis in response to regulatory requirements and industry standards (OCC, FRB, FINRA, MAS, HKMA, PRA, NIST, ISO, COBIT, etc.). Lead global cross-sector workgroups to respond to various internal and external cyber security risk assessment requests.Identify and report /escalate significant compliance and control issues, and help develop solutions by working closely with program owners. Help address info security control gaps through in-depth root cause analyses.  Work with issue owners and control officers to monitor the progress of corrective action plans and risk exceptions.  Provide management visibility of corrective actions that are at risk of missing plan. Drive the periodic discussion with second and third lines of defense to make sure there is clear understanding of corrective action scope by all stakeholders.Assist in the management of audits, business monitoring, certification and other Regulatory, Internal and External Audit activities.  Keep all stakeholders abreast of audit status by being the primary contact for CISO audits.  Ensure predefined audit methodologies are followed.  Facilitate factual accuracy discussions.  Coordinate audit finding responses.  Ensure there is no surprise in the audit report for all stakeholders.Prepare and advise senior leaders in managing information risk primarily from the regulatory perspective. Provide input during policy development regarding the applicability/impact of proposed policies and procedures.  Advise CISO process owners of process improvement opportunities.  Taking a risk based approach, help align processes across products/regions/functions where possible.Qualifications:Hands-on experience with enterprise-wide or business unit level cybersecurity risk assessments.Hands-on knowledge of technology, security risk and compliance best practices such as Cyber Risk Institute Profile, FFIEC Cybersecurity Assessment Tool (CAT) and Info Security Handbook, MITRE ATT$CK, Factor Analysis of Information Risk (FAIR), Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), NIST Cyber Security Framework (CSF), COBIT, ISO/IEC 27001/27002, etc.Hands-on knowledge of ServiceNow GRC or other GRC tools.Understanding of global regulatory and legal requirements for cyber riskAbility to apply understanding of business processes and technical skills to successful completion of projects.Excellent communication, written and oral, interpersonal and presentation skills to technical and business audiences in a constantly evolving environment.Demonstrated experience in critical thinking and problem solving in high pressure situations.Self-motivated, the ability to manage multiple projects under strict timelines, accepting ownership and accountability of the processes, multi-tasking skills, deliver on commitments, and a team player.Professional certification desirable: CISSP, CISM, CRISC, CISAEducation:Bachelor’s degree/University degree or equivalent experienceThis job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required.-------------------------------------------------Job Family Group: Technology-------------------------------------------------Job Family:Information Security------------------------------------------------------Time Type:Full time------------------------------------------------------Citi is an equal opportunity and affirmative action employer.Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.View the "EEO is the Law" poster. View the EEO is the Law Supplement.View the EEO Policy Statement.View the Pay Transparency Posting-----------------------------Effective November 1, 2021, Citi requires that all successful applicants for positions located in the United States or Puerto Rico be fully vaccinated against COVID-19 as a condition of employment and provide proof of such vaccination prior to commencement of employment.