Options Clearing Corporation
Lead Associate Principal, Security Assurance
Options Clearing Corporation, Chicago, Illinois, United States, 60290
Lead Associate Principal, Security Assurance
The Lead Associate Principal, Security Assurance is responsible for leading the scoping, planning, conducting, and reporting of various Security assessments, including collaboration with other Security teams to assess risk and requirements for new technology onboarding and PoCs, Third Party Security Assessments to support OCC's Third Party Risk Management team, assisting with oversight of the Security Observation Risk Tracking process, and special risk assessments as requested by the CSO or DCSO. This position includes supporting Security Assurance team members in the development of these various risk assessments listed above. Secondary responsibilities include developing and enhancing Security Assurance processes. This includes automation enhancements, the advancement of Cyber Risk practices, and updating relevant policies and procedures to reflect these changes. Primary Duties and Responsibilities: Scoping, planning, conducting, and reporting Security assessments for internal departments and of OCC third parties and technologies Collaborate with the Security Engineering & Technology Integration and Threat Intelligence teams to assess risk and set security requirements for new technology onboarding and PoCs Assist with oversight of the Security Observation Risk Tracking process which includes processing security observations nominated from various sources, assessing risk ratings for observations, communicating observations to risk owners, and managing the observation lifecycle Collaborate with Threat Intelligence to determine MITRE ATT&CK tagging for observations within the Security Observation Risk Tracking process Participate in Security review and approval of Linux server privilege elevation, proxy exception, and firewall exception requests Participate in Security review and approval of Risk Intake, Risk Action Plan, and Risk Acceptance records managed by the Operational Risk Management & Controls team Research and recommend new or updated risk assessment methodologies, frameworks, and standards Assist with other Security Assurance Program efforts including but not limited to tracking of remediation and validation of audit, compliance, and regulatory findings as needed. Collaborate with automation and AI teams to assess opportunities for incorporating AI into team processes Documenting process flow enhancements and working with Security Business Operations to develop and enhance Security Assurance processes. Assist Security Analysts, transferring technical and risk management knowledge Partnering with IT department to disseminate, train, and provide guidance against the Security requirements Assist in project planning, program development, and process formalization. Perform other duties as assigned Qualifications: Effective oral and written communication, analytical, judgment and collaboration skills. Analytical skills to successfully analyze, model, and present complex risk assessments Ability to work independently and effectively with local and remote OCC staff, management, vendors, and consultants while exercising sound judgment Strong understanding of information technology, risk management concepts, and analytics Possesses critical OCC values (i.e., fact based, collaborative, credibility/trust and judgment). Technical Skills: Advanced understanding of information related frameworks and standards such as COBIT, NIST 800-53, NIST CSF, ISO etc. Experience in security risk management principles and practices. Experience in working with regulatory frameworks and requirements relevant to OCC such as, Reg SCI, CFTC 99.18, etc. Experience working in ServiceNow, Tableau, Archer GRC, Jira, and Confluence Education and/or Experience: 5 years hands-on Information Security experience, preferably within previous work in Compliance, Audit, Risk Management, or Security. Bachelor's degree in Computer Science, Management Information Systems, Statistics & Quantitative Modeling, Mathematics a plus or the equivalent combination of education and/or relevant experience. Certificates or Licenses: Professional network and/or security certifications are a plus, but not required (i.e., GIAC, CISSP, CISA, CISM, CRISC, AWS cloud computing)
The Lead Associate Principal, Security Assurance is responsible for leading the scoping, planning, conducting, and reporting of various Security assessments, including collaboration with other Security teams to assess risk and requirements for new technology onboarding and PoCs, Third Party Security Assessments to support OCC's Third Party Risk Management team, assisting with oversight of the Security Observation Risk Tracking process, and special risk assessments as requested by the CSO or DCSO. This position includes supporting Security Assurance team members in the development of these various risk assessments listed above. Secondary responsibilities include developing and enhancing Security Assurance processes. This includes automation enhancements, the advancement of Cyber Risk practices, and updating relevant policies and procedures to reflect these changes. Primary Duties and Responsibilities: Scoping, planning, conducting, and reporting Security assessments for internal departments and of OCC third parties and technologies Collaborate with the Security Engineering & Technology Integration and Threat Intelligence teams to assess risk and set security requirements for new technology onboarding and PoCs Assist with oversight of the Security Observation Risk Tracking process which includes processing security observations nominated from various sources, assessing risk ratings for observations, communicating observations to risk owners, and managing the observation lifecycle Collaborate with Threat Intelligence to determine MITRE ATT&CK tagging for observations within the Security Observation Risk Tracking process Participate in Security review and approval of Linux server privilege elevation, proxy exception, and firewall exception requests Participate in Security review and approval of Risk Intake, Risk Action Plan, and Risk Acceptance records managed by the Operational Risk Management & Controls team Research and recommend new or updated risk assessment methodologies, frameworks, and standards Assist with other Security Assurance Program efforts including but not limited to tracking of remediation and validation of audit, compliance, and regulatory findings as needed. Collaborate with automation and AI teams to assess opportunities for incorporating AI into team processes Documenting process flow enhancements and working with Security Business Operations to develop and enhance Security Assurance processes. Assist Security Analysts, transferring technical and risk management knowledge Partnering with IT department to disseminate, train, and provide guidance against the Security requirements Assist in project planning, program development, and process formalization. Perform other duties as assigned Qualifications: Effective oral and written communication, analytical, judgment and collaboration skills. Analytical skills to successfully analyze, model, and present complex risk assessments Ability to work independently and effectively with local and remote OCC staff, management, vendors, and consultants while exercising sound judgment Strong understanding of information technology, risk management concepts, and analytics Possesses critical OCC values (i.e., fact based, collaborative, credibility/trust and judgment). Technical Skills: Advanced understanding of information related frameworks and standards such as COBIT, NIST 800-53, NIST CSF, ISO etc. Experience in security risk management principles and practices. Experience in working with regulatory frameworks and requirements relevant to OCC such as, Reg SCI, CFTC 99.18, etc. Experience working in ServiceNow, Tableau, Archer GRC, Jira, and Confluence Education and/or Experience: 5 years hands-on Information Security experience, preferably within previous work in Compliance, Audit, Risk Management, or Security. Bachelor's degree in Computer Science, Management Information Systems, Statistics & Quantitative Modeling, Mathematics a plus or the equivalent combination of education and/or relevant experience. Certificates or Licenses: Professional network and/or security certifications are a plus, but not required (i.e., GIAC, CISSP, CISA, CISM, CRISC, AWS cloud computing)