Manager - IT Risk

Manager - IT Risk

Description:

1. Vulnerability Management & Testing:

- Perform Vulnerability Assessment and Penetration Testing (VAPT) for web, mobile applications, infrastructure, and APIs.

- Collaborate with penetration testers to assess vulnerabilities and ensure closure within defined SLAs.

- Conduct configuration reviews for infrastructure components (e.g., firewalls, servers, endpoints) to ensure adherence to security baselines.

- Recommend corrective actions and validate remediation steps for identified vulnerabilities.

- Maintain security testing reports as per internal policies and regulatory mandates (RBI, PCI DSS, etc.).

2. Change Management & Secure Configuration Review:

- Participate in Change Management processes for applications and infrastructure, ensuring security considerations are integrated before deployment.

- Review proposed changes from a security lens and assess risks associated with configurations, deployment models, and technology stacks.

- Maintain documentation of security checkpoints and validations across SDLC and change workflows.

3. Application & API Security Lifecycle Management:

- Design and implement security frameworks across applications and APIs including token handling, input validation, rate limiting, and authorization models.

- Perform end-to-end API security testing, including checks for OWASP API Top 10 vulnerabilities.

4. Threat Identification & Risk Assessment:

- Identify potential vulnerabilities and assess risks across networks, systems, and data repositories.

- Regularly conduct threat modelling exercises and vulnerability scans to understand evolving risks.

- Stay abreast of emerging threats, zero-day vulnerabilities, and cyberattack trends.

- Work closely with security teams to refine threat detection and prevention strategies.

5. Security Incident Response:

- Investigate and respond to security incidents, alerts, and breaches in a timely manner.

- Develop and maintain Incident Response Plans (IRPs) and execute drills to ensure readiness.

- Lead post-incident analysis to determine root causes, evaluate damage, and recommend improvements.

- Coordinate with stakeholders to document lessons learned and improve incident prevention mechanisms.

6. Governance, Compliance & Documentation:

- Ensure all security activities comply with regulatory guidelines and bank policies (e.g., RBI Cybersecurity Framework, ISO 27001).

- Maintain documentation of known security vulnerabilities, breach reports, remediation logs, and audit trails.

- Support audits and regulatory reviews by providing accurate and timely security data and reports.

Create standardized security frameworks and policies for IT components such as:

- Firewalls and perimeter security

- Servers and endpoint controls

- API and application security governance

7. Advisory & Collaboration:

- Work with development, DevOps, and IT infrastructure teams to embed security into design and architecture.

- Provide feedback to internal cybersecurity engineers for improvements in system hardening and secure coding practices.

- Assist in the design of secure architectures to reduce the attack surface and ensure business continuity.

8. Continuous Learning & Knowledge Management:

- Stay updated on latest technologies, cybersecurity trends, regulatory changes, and industry benchmarks.

- Participate in cybersecurity communities, webinars, and trainings.

- Proactively recommend new tools, methodologies, and frameworks to enhance security effectiveness

Proficient in VAPT tools for applications and infrastructure (e.g., Burp Suite, OWASP ZAP, Nessus, Nmap, Postman).

- Strong grasp of OWASP Top 10, API Security best practices, and secure coding principles.

- Experience in secure configuration reviews for firewalls, servers, endpoints, and API gateways.

- Familiar with DevSecOps, including integrating security.

- Understanding of API security frameworks: OAuth 2.0, JWT, API key management, rate limiting.

- Hands-on with incident response workflows (e.g., Splunk, CrowdStrike).

- Skilled in writing and maintaining security documentation, including SOPs and incident response plans.

- Awareness of regulatory standards: RBI Cybersecurity Framework, PCI DSS, NIST.

- Exposure to risk assessments, security audits, and third-party security evaluations.

- Ability to collaborate with Dev, Infra, and Compliance teams to ensure secure deployments.

Certifications such as:

1. Certified Ethical Hacker (CEH) (Preferred)

2. CompTIA Security+ (Good to have)

3. Certified Information Security Manager (CISM) (Good to have)

4. Certified Information Systems Auditor (CISA) (Good to have)

5. Offensive Security Certified Professional (OSCP) (Good to have)