Vulnerability Management Role - Financial Business

Description:

JOB TITLE: VULNERABILITY MANAGEMENT SME

Corporate Title:

Department: Information Security

Overview of the Department/Section:

CLIENT is one of the world's leading financial groups. Headquartered in Tokyo and with approximately 350 years of history, CLIENT is a global network with around 2,300 offices in over 50 countries including the Americas, Europe, the Middle East and Africa, Asia and Oceania, and East Asia.. The group has over 150,000 employees, offering services including commercial banking, trust banking, securities, credit cards, consumer finance, asset management, and leasing.

As one of the top financial groups globally with a vision to be the world's most trusted, we want to attract, nurture and retain the most talented individuals in the market. The size and range of CLIENT's global business creates opportunities for our employees to stretch themselves and reap the rewards, whilst our common values, to behave with integrity and responsibility, and to build a culture which is fair, transparent, and honest, underpin everything that we do.We aim to be the financial partner of choice for our clients, whatever their requirements, building long-term relationships, serving society, and fostering shared and sustainable growth for a better world.

CLIENTs shares trade on the Tokyo, Nagoya, and New York (NYSE: MTU) stock exchanges. The groups operating companies include, but are not limited to, CLIENT Bank, Mitsubishi UFJ Trust and Banking (Japan's leading trust bank), Mitsubishi UFJ Securities Holdings (one of Japan's largest securities firms), and CLIENT Americas Holdings.

Please visit our website for more information - Clientemea.com.

Technology is responsible for the operation, development and support of all technology across all areas of the local and international business. We ensure the IT strategy, architecture solutions, and service delivery are firmly aligned to business requirements and long term strategy of the group.

Technology comprises the following functions:

Architecture and Development team - which is responsible for the provision of shared services including architecture, middleware, new systems development, quality assurance and release management.Middle, Risk and Back Office Team - which is responsible for all the applications used by these areas including the main trading system, Murex.

Front Office Solutions - which provides a business-oriented focus to all technological developments that affect the trading floor.Infrastructure team - which supports the operation of all production services, voice and data networks, other voice systems and desktop systems.

Programme Office and Purchasing - which is responsible for definition, prioritisation and delivery of the annual investment portfolio as well as procurement and software licence management.

IT Risk and Control - which is responsible for implementing and managing all technology related controls over IT and information risk and business continuity, supports the provision of disaster recovery solutions, performs risk assessments, and manages business recovery plans and the business recovery facility. Information Secuity is also the responsibility of this function.

Main Purpose of the Role:

- To support Vulnerability Management activities and Policy Compliance activities by providing guidance to technology owners on remedial actions.

- Reduce the vulnerability footprint by working wih the technology owner or product owner.

- Provide comprehensive solutions to complex problems, lead major iniatives in risk reduction surrounding vulnerabilities.

- Ensure that processes are documented in accordance with CLIENT requirements and standards,

- Influence the strategic direction on risk reduction that impact the organisation by prioritising remediation activities.

- To ensure effective management and control of information security, IT and information risk for MUSI by ensuring all appropriate Security, IT and common sense controls are in place, that these controls are being followed and that this is evidenced across the whole business and IT department.

- The role will involve liaising with the other information security functions within the MUS international business and CLIENT group to ensure a consistent approach to all controls, standards and policies is adopted across the organisation.

- To ensure all necessary Information Security controls are in place and that an appropriate strategy to protect the firm from related Cyber, external and internal threats is defined and being implemented.

- To develop, implement and manage compliance with appropriate IS and IT Security policies, standards and procedures.

- To support the relationship and associated reporting requirements between Technology and internal and external bodies e.g. auditors, management committees, Tokyo head office, regulators (via Compliance), Operational Risk.

Key Responsibilities:

- In this role, you will be responsible for Information Security across CLIENTs banking arm and securities business under a dual-hat arrangement. Under this arrangement, you will act and make decisions on behalf of both the bank and the securities business, subject to the same remit and level of authority, and irrespective of the entity which employs you.

- Develop and manage processes for assessing disclosed vulnerabilities, threat scenarios, and mitigating controls.

- Develop and manage processes for maintaining governance surrounding policy compliance (CIS benchmarks or other asset hardening frameworks or standards).

- Evaluate the threats that vulnerabilities present to drive prioritization of remediation actions.

- Assist in process development that includes reviewing and validating vulnerabilities using available data sources, tools as analysts assess and risk rate vulnerabilities.

- Monitor and report on the security posture of CLIENTs digital presence, i.e. CLIENT web sites.

- Liaise with Technology and Business teams as necessary to ensure all MUSI systems meet MUSI security standards and/or agree appropriate measures to mitigate the risk where they dont.

- Collaborate with stakeholders across the enterprise on appropriate remediation & mitigation solutions.

- Support Audit & Regulatory liaison and ensure consistent and timely answers to information requests.

- Support any issues and remedial actions resulting from information security incidents and audits are agreed with appropriate timescales for resolution.

- Support Operational Risk management

- Support MUSIs information security risk profile and associated operational risk reporting.

- Ensure adequate technical safeguards are in place and are being actively managed by the support teams to provide appropriate protection to MUSIs information assets across the following environments:

1. Windows & Unix operating systems

2. Databases (Oracle, SQL, Sybase)

3. Networks

- Be seen as the Information Security centre of excellence for MUSI and ensure MUSI adopt an appropriate and professional response on any information security issues raised by the organisations business activities

- Liaise with IT teams to ensure information security alerts, threats and vulnerabilities across the IT estate are highlighted, managed and mitigated within appropriate timescales

- Maintain an up to date, working knowledge of current laws, regulations and best practices relating to information security.

- Support the annual penetration test

- Support Information Security incidents where requested.

- Support Operational Security duties where requested.

- Responsibility covers EMEA for Bank and EMEA for Securities technology

Skills and Experience:

- Experience as a Vulnerability Analyst

- Understanding of Vulnerability Management principles

- Understanding of Risk Assessment Methodologies

- Knowledge of industry standard scoring models such as CVSS (Common Vulnerability Scoring System) or CCSS (Common Configuration Scoring System)

- Knowledge of industry standard data models such as CPE (Collection Processing Engine) and data normalization tools

- Process oriented with keen attention to detail

- Knowledge of common vulnerabilities, attack vectors and mitigation techniques

- Ability to proactively anticipate problems and execute solutions at a strategic level

- Wide knowledge of application and IT products, interoperability, and extensive knowledge of IT security

- Knowledge of application development platforms

- Knowledge of vulnerability attack methods, exploit results, attack chains

- Ability to think strategically

- Active involvement in internal and external audits and experience of managing Audit relationships.

- A bachelors degree in computer sciene, cybersecurity or a related field

Desired but not necessary:

- Qualys Cloud Portal experience

- Experience in cloud security, preferably with Azure / Oracle Cloud Infrastructure

- Knowledge of cloud security frameworks, tools and technologies

- Experience with DLP (Data Loss Prevention) such policy creation and management, workflow and approval.

Personal Requirements:

- Excellent communication skills

- Results driven, with a strong sense of accountability

- A proactive, motivated approach.

- The ability to operate with urgency and prioritise work accordingly

- Strong decision making skills, the ability to demonstrate sound judgement

- A structured and logical approach to work

- Strong problem solving skills

- A creative and innovative approach to work

- Excellent interpersonal skills

- The ability to manage large workloads and tight deadlines

- Excellent attention to detail and accuracy

- A calm approach, with the ability to perform well in a pressurised environment