Technology Risk Manager (Information Security Control Division)

Join Bank of China (Hong Kong)

Be a dynamic member of our team

We commit to excellence and professionalism

We value people

We offer challenging and rewarding careers that will further your personal development.

For other vacancies, please visit our website at http://www.bochk.com

Job No.: 499438

Employment Type: Full time

Departments: Information Technology Department

Job Functions: Information Technology

Roles and Responsibilities & Specific Requirements (Application Security):

Assist in reviewing IT initiatives and provide advisory from technology risk perspectives

Assist to establish and review policies, guidelines, procedures in application security area

Provide advisory and practical guidance to support technology risk and information security assessments, include vulnerability scanning, penetration test etc.

Conduct regular assessment on application security

Familiar with security testing tools e.g. Fortify, AppScan and Open Source Scanning tools, technologies on DevSecOps and industry good practice OWASP is preferable

Roles and Responsibilities & Specific Requirements (System Security):

Research and evaluate latest trend & technologies on information security and fintech area, such as FinTech, Artificial Intelligence, Big Data, Cloud Computing etc.

Conduct regular assessment on OS platform security & middleware software security

Plan and conduct security assessment in area of physical security (e.g.: data center security)

Assist to establish and review policies, guidelines, procedures in system security、physical security and fintech technology security area

Familiar with system platform operation and system architecture design is preferable

Roles and Responsibilities & Specific Requirements (Third-Party Security):

Drive security assessments of third-party vendor focusing on compliance with regulations, company policies, and internal controls.

Oversee information security risk management processes for onboarding and off-boarding of third-party vendor relationships.

Communicate to business units and cross-functional teams regarding third-party vendor risk issues and/or control gaps, and recommends remediation initiatives.

Provide awareness by conducting training on third-party vendor risk management framework.

Contribute to internal practice development initiatives and technology risk knowledge base

Stay informed about latest developments in third-party vendor risk management field.

Roles and Responsibilities & Specific Requirements (Information Security):

Assist senior manager to formulate and manage information security policies, standards and procedures.

Plan and conduct information security assessment and IT risk evaluation in area covering IT general controls, information asset management, access controls and endpoint security review, etc.

Plan and carry out various information security assurance activities, such as computer accounts re-certification.

Review the initiation of security configuration changes, such as access rules, data leakage prevention policies.

Co-operates with system administrators to deploy various information security controls or tools, and take lead to conduct appropriate remedial action on security incidents.

Act as a subject matter expert to assist business units and cross-functional teams in identifying and mitigating information security risks and/or control gaps, and recommends remediation initiatives.

General Job Requirements:

Degree holder in Computer Science or other degree majoring in Information Systems, or related discipline.

Over 4 years of experience in IT security, technology risk, risk management, compliance or IT audit function, gained from other sizable financial institutions

Holding at least one recognized professional qualification under HKMA enhanced competency framework such as CISA, CISSP, CRISC is preferable.

Familiar with HKMA TMG-1, TM-E-1, PCI-DSS, ISO 2700-series or other security risk management framework is an advantage

Good command of written and spoken English with Mandarin is preferable and

Good communication and interpersonal skills;

Flexibility in traveling.

Candidate with less experience will be considered as Assistant Manager.

If you are applying for in-scope position(s) under the Mandatory Reference Checking Scheme (i.e., A role carrying out regulated activities licensed by the IA, SFC & MPFA), you are required to undergo the Mandatory Reference Checking. Our responsible recruiter will inform you the details of the MRC process and the requirements in due course. For details, please click here.

We offer competitive remuneration package and comprehensive fringe benefits including medical and life insurance, and different types of allowances to the right candidate. Interested parties, please submit your application online. For details, please visit our website http://www.bochk.com

To apply: https://careers.pageuppeople.com/798/cw/en/job/499438/technology-risk-manager-information-security-control-