Participate in the Risk and Control Self-Assessment (RCSA) and Control Framework (CF) development and review workshops / processes to provide updates on Information Risk Policy, related minimum standards, views on IT / cyber risks and information system controls, and challenge the first line-of-defence functions on risks and key remediation controls during the RCSA and/or CF revisit workshops
Monitor the new and/or updated IT / cybersecurity laws, regulations, and international standards and review the existing Information Risk Policy, and related minimum standards to identify gaps and propose the required action plans
Work with team members to review and update Information Risk Policy and related minimum standards according to the defined periodic review cycle to ensure compliance with laws, regulations and in line with international standards or frameworks
Review and update the contents on e-learning platform for the annual cyber risk awareness training delivery to all staff and concerned parties
Provide supports to the subordinate specialist team members for the execution of Annual Key Control Testing (KCT) - Quality Assurance (QA) Plan, and review the quality of works done by the subordinate team members as part of KCT QA plan execution
Coordinate with all relevant parties for IT Non-Financial Risk Committee (IT NFRC) quarterly meeting readiness preparation
Attend the meetings and provide consult and/or views on IT risk / cyber risk and information system controls to the business units that are product / service owner in the initiative / strategic projects.
Be the coordinator and provide supports to the Compliance and Internal Audit functions in the annual self-assessment programs and/or IT audits.
Be the coordinator and provide supports to the regulators e.g., in the Annual IT Examination visit by Bank of Thailand (BOT) and to the external auditors in the independent reviews
Participate the annual Business Continuity and/or IT Disaster Recovery plans exercises
Manage special assignments (if any)
Qualifications
Master or bachelor’s degree in computer related or equivalent fields
8-10 years of professional experienced in Information Security related fields
5-10 years of working experienced in banking or financial service industry
Knowledge and skills in the areas of IT governance, IT / cyber risk, and information systems control
Knowledge and skills in the areas of system development life cycle,
Good knowledge and understanding in IT and/or Cybersecurity related laws and regulations such as BOT’s IT Risk Management Implementation, BOT’s Cyber Resilience Assessment Framework (CRAF), Computer Crime Act, Personal Data Protection Act (PDPA), etc.
Good knowledge and understanding in international standards such as NIST 800-53, ISO 27000 series, ISO 22301, PCI DSS, COBIT, ITIL, etc.
Certified Information Security Manager (CISM), Certified in Risk and Information System Control (CRISC), Certified Information Systems Auditor (CISA) or Certified Information System Security Professional (CISSP) is an advantage
Good English communication skills are required
Good consulting skills and managerial skills, can work under pressure or manage multiple assignments simultaneously to provide deliverables on time
In depth technical knowledge of: Data Centre Resilience (TIA-942), IT Security (ISO 27001), BCM (ISO 25999), Computer Networks
Proven management experience on departmental and project level.
