Apply now »

Security Control Assessor

Location:  Wrocław
Other locations:  Primary Location Only
Salary: Competitive
Date:  Oct 7, 2024

Job description

Requisition ID:  1545316

Security Control Assessor

 

Location: Wrocław
Hybrid model: 2 days office/3 days remote

 

Let us introduce you the job offer by EY GDS Poland – a member of the global integrated service delivery center network by EY.

 

Today’s world is fueled by vast amounts of information. Data is more valuable than ever before. Protecting data and information systems is central to doing business, and everyone in EY Information Security has a critical role to play. Join a global team of over 950 people who collaborate to support the business of EY by protecting EY and client information assets! Our Information Security professionals enable EY to work securely and deliver secure products and services, as well as detect and quickly respond to security events as they happen. Together, the efforts of our dedicated team helps protect the EY brand and build client trust.

Within Information Security we blend risk strategy, digital identity, cyber defense, application security and technology solutions as we consider the entire security lifecycle. You will join a team of hardworking, security-focused individuals dedicated to supporting, protecting and enabling the business through innovative, secure solutions that provide speed to market and business value.

 

The opportunity

 

The Technology Assurance, Risk, and Policy (TARP) function within Information Security strives to create and promote a holistic Governance, Risk, and Compliance (GRC) program by creating a robust, resilient, and proactive governance framework, supported by a strategic risk management approach and stringent compliance structures. It aims to integrate and align its GRC initiatives in line with the global firm's objectives and emerging threats within the cybersecurity landscape.

Furthermore, the Policy, Risk, and Controls (PRC) Enablement & Awareness team aims to establish policies and procedures that reflect the value we place on safeguarding our digital environment, while ensuring that these policies are effectively communicated and enforced across all levels of the organization. The Control & Risk Assessment team sits within PRC Enablement & Awareness and aims to directly enables the GRC program by designing control testing and risk assessment methodology to measure and quantify compliance to policies and control objectives.

 

Your key responsibilities

 

  • The Control & Risk Assessment Leader will be responsible for building a control testing and risk assessment program, following the model for 1st line and 2nd line testing best-practice strategies, that routinely tests and assesses the effectiveness and efficiency of Information Security controls put in place to mitigate risks to determine if they are supporting the desired business outcomes. They will need to rank and prioritize Information Security controls based on their risk profiles and design a testing plan to inclusive of testing procedures which will be used to measure effectiveness while, simultaneously looking for opportunities to enhance and improve EY’s control landscape. In certain instances, they will need to plan and execute risk assessments to quantify assumptions over the risk profiles.
  • The Control & Risk Assessment Leader is responsible for building a team of experienced professionals to assist in executing the strategic vision and objectives of the Control & Risk Assessment testing and assessment program.
  • The Control & Risk Assessment team will work collectively to support the Information Security Program in the areas of risk risk assessment methodology development and execution of risk assessments, control testing design and execution, and identification of gaps and areas of improvement utilizing testing and assessment results.
  • Collaboration with other Information Security groups and external stakeholders across EY is key to this role.
  • The Control & Risk Assessment Leader will need to build a network of multi-departmental and multi-level stakeholders inclusive of, but not limited to Information Security, Client and Enterprise Technology, Data Protection, Global and Enterprise Risk Management, Internal Audit, Area and Regional Risk & Data teams, Service Line Quality Leaders, etc.

 

Skills and attributes for success

 

  • Plan and build multi-year roadmap to establish and mature the Control & Risk Assessment team. This includes development of the team’s charter, identification of resource needs, ongoing monitoring systems and tool requirements, and workstream prioritization.
  • Build a Control and Risk Assessment program that identifies potential risks and validates mitigation controls by conducting regular and systematic assessments of the organization's IT infrastructure, including networks, systems, applications, and data processes.
  • Based on results of assessments and testing, assist control owners with the design and implementation of their controls in the organization's IT environment. Strategize on the appropriate amount of preventive, detective, or corrective controls which will have the most impact on reducing overall risk for the firm.
  • Create a 1st Line Testing framework that can be shared with control owners that will enhance security culture and support control ownership roles and responsibilities. Conduct training and awareness campaigns to facilitate the adoption of the framework.
  • Appropriately balance firm security needs with business impact and benefit when recommending advancements in policy and control objectives and directing those efforts to completion. 
  • Think strategically to assist with the development of a long-term vision for Information Security’s Technology Assurance, Risk, and Policy direction inclusive of its program improvement, technology adoption, and integration of security solutions into business objectives.
  • Act as a thought leader in the firm, staying informed of changes in information security, regulatory requirements, audit standards, and industry trends, adjusting strategies, as necessary.
  • Build and maintain appropriate relationships with internal and external leaders to ensure awareness and understanding of potential strategic directions.  
  • Flexibility to adjust to multiple demands, shifting priorities, ambiguity, and rapid change.
  • Outstanding management, interpersonal, communication, organizational, and decision-making skills.
  • Ability to understand and integrate cultural differences and motives and to lead cross cultural teams.
  • Demonstrate integrity and judgment within a professional environment.
  • Evaluate, counsel, mentor and provide feedback on performance of others.
  • Plan the training and development of staff to develop their skills and maintain state-of-the-art knowledge in information security.

 

To qualify for the role you must have

 

  • 10+ years of experience in the Information Technology, Information Security and/or Risk Management field(s).
  • Audit experience or a demonstrated ability to design and test technology controls.
  • 5+ years of experience in managing and mentoring junior and senior level staff.
  • Experience leading global and virtual teams.
  • High proficiency in technical and general writing skills in English. 
  • An advanced degree in Computer Science, Information Security, or a related field; equivalent work experience will be considered on a case-by-case basis.
  • One or more of the following or equivalent certifications preferred: Certified Risk and Information Systems Control (CRISC), Certified Information Systems Security Processional (CISSP), Certified Information Security Manager (CISM), Certified Information System Auditor (CISA), Certified Internal Auditor (CIA), Global Information Assurance Certification (GIAC) in related area, CIPP, CIPT.

 

Ideally, you’ll also have

 

  • A working knowledge of external control standards like ISO 27001, NIST 800-53, COBIT, etc. and regulatory requirements like GDPR and SOX.
  • Skilled in Microsoft Office and M365 products; primarily Word, Excel, PowerPoint, SharePoint, PowerApps, and PowerBI.
  • Experience with RSA Archer or other GRC tools.
  • Flexibility to work outside of normal business hours when engaging with team members and stakeholders in various time zones.

 

What we offer

 

EY Global Delivery Services (GDS) is a dynamic and truly global delivery network. We work across ten locations –  Argentina, China, Hungary, India, the Philippines, Poland, Sri Lanka, Mexico, Spain and the United Kingdom – and with teams from all EY service lines, geographies and sectors, playing a vital role in the delivery of the EY growth strategy. From accountants to coders to advisory consultants, we offer a wide variety of fulfilling career opportunities that span all business disciplines. In GDS, you will collaborate with EY teams on exciting projects and work with well-known brands from across the globe. We’ll introduce you to an ever-expanding ecosystem of people, learning, skills and insights that will stay with you throughout your career.

 

  • Continuous learning: You’ll develop the mindset and skills to navigate whatever comes next.
  • Success as defined by you: We’ll provide the tools and flexibility, so you can make a meaningful impact, your way.
  • Transformative leadership: We’ll give you the insights, coaching and confidence to be the leader the world needs.
  • Diverse and inclusive culture: You’ll be embraced for who you are and empowered to use your voice to help others find theirs.

 

About EY

EY | Building a better working world

 

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

 

If you can demonstrate that you meet the criteria above, please contact us as soon as possible.

The exceptional EY experience. It’s yours to build.

 

In compliance with the requirements of the Whistleblower Protection Act, our company has established the Procedure for reporting breaches of law and undertaking appropriate follow-up actions

 

Apply now »