Position: Information Security Specialist
Location: Toronto, ON (hybrid)
Duration: 12 Months to start, with potential extensions
Language: English

Overview:
The VRO (Vulnerability Remediation Office) supports the Bank's security and regulatory objectives by ensuring vulnerabilities within Infrastructure & Engineering (I&E) are remediated in a timely, compliant, and operationally sound manner. It also ensures I&E patching teams remain in compliance with all internal, regulatory, and applicable standards.

Job Description Summary
Members of the VRO-Shared Centre of Excellence team are responsible for leading I&E involvement in risk partner assessments and supporting I&E teams with the execution of activities closely tied to the Patching Standards and the Technology Risk Management, Governance and Oversight Framework.

The Information Security Specialist, VRO-Shared Centre of Excellence, supports definition, development and/or implementation of I&E-related Technology Controls / Information Security related policies, programs, tools and provides specialized expertise and guidance on assessing risks, identifying potential gaps and providing security solutions to mitigate risks and protect the Bank. May participate on projects of moderate to high complexity and provide complex reporting, analysis, and assessments at the functional, business line or enterprise level for the VRO. The role is expected to focus largely on regulatory, audit, and enterprise-impacting activities.

Responsibilities:

• Lead on Regulatory and Internal Audit compliance requirements, reporting and questions for the VRO

• Provide support and consulting in preparation for Audits and in composing management responses and appropriate remediation activities

• Provide support and consultation in preparation for Operational Risk Management assessments and in composing management responses and appropriate remediation activities

• Provide support and consultation in composing management responses and appropriate remediation activities for First Line control exceptions and Self-Declared findings

• Provide consultation and advice to partners on a broad range Technology Controls / Information Security programs / policies / standards and incidents for I&E-VRO

• Conduct project consulting on assessment of risk, definition of required controls, appropriateness of implemented control procedures, vulnerability assessments and any other relevant areas

• Lead or contribute to completion of risk and control design assessments for VRO activities, articulate and document impact of control gaps to the business and the overall Bank, risk mitigation and remediation plans, remediation strategy document as applicable

• Adhere to internal policies / procedures, technology control standards, and applicable regulatory guidelines

• Lead the review of internal processes and activities and assist in identifying potential opportunities for improvement

• Adhere to and advise on / oversee / monitor / enforce enterprise frameworks and methodologies that relate to technology controls / information security activities - With a specific focus on I&E Patching Standards and teams

• Influence behavior to reduce risk and foster a strong technology risk management culture throughout the enterprise

Additional Details:

• Expert knowledge of IT security and risk disciplines and practices

• Expert knowledge of audit and regulatory reviews

• Advanced knowledge of organization, technology controls / security/ risk issues

• May participate on complex, comprehensive or large projects and initiatives

• Acts as a lead expert resource in technology controls / information security/audit and regulatory exams for project teams, the business / organization and/or outside vendors

• Generally reports to Senior Manager or above

Requirements:

• University degree or equivalent experience

• Information security certification (e.g. CRISC, CISM, CISA, CISSP)

• Extensive experience with risk partner engagement (including ORM, Audit, and Regulators)

• Experience with testing of technology controls

• Experience with development and management of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs)

• Excellent knowledge of cybersecurity industry control standards

• Experience developing and managing issue remediation plans

• Familiarity with various GRC platforms and alternative tracking methods (e.g. SharePoint, Confluence, JIRA)

• 7+ years of relevant experience

#IndKyn

**Please note this is for a contract position with one of our clients and not a fulltime employment role with Kyndryl Canada**