D

Manager of Risk Management

Deepstreamtech
2 days ago
Contract
Dublin
Ireland
Requirements
  • Bachelor's degree (or equivalent practical experience) in Information Security, Information Systems, Computer Science, or related field
  • Relevant certifications such as CISA, CISSP, Security+, PCI ISA, etc
  • 5-8 years of experience in 1st Line of Defense control testing, technology audit, risk & compliance, or security engineering with demonstrated ownership of testing/assurance outcomes
  • Strong technical understanding across core security control domains
  • Experience building and executing test procedures against formal standards/frameworks, including scoping, sampling, and defining evidence requirements
  • Ability to produce clear, defensible test documentation with strong attention to detail and consistency
  • Experience in a payment, fintech, bank, or other highly regulated environment
  • Familiarity with payment security concepts and frameworks, particularly PCI DSS
  • Experience with GRC platforms (e.g. RSA Archer) and evidence/workflow automation
What the job involves
  • Corporate Security is responsible for keeping Mastercard safe and secure from cyber and physical threats
  • We are a highly effective team protecting a major component of global payments infrastructure
  • Our Security Risk and Control Operations team is at the forefront of this effort in the "1st Line of Defense," coordinating efforts across Corporate Security, enterprise risk management, and market-facing product teams to assess risks, implement controls to mitigate them, and provide assurance to regulators and stakeholders of Mastercard's best-in class performance in information security
  • We are seeking a Lead Security Control Assessor to execute testing of security controls
  • You will perform quality control over documented control processes, shape control testing plans, review submitted evidence, evaluate control strength, and initiate findings of any shortfalls
  • As a member of an enterprise wide risk management community of practice, you will also play a key role in maturing the control testing program through standardization, automation, and reporting that provides management visibility and supports regulatory/customer requirements (e.g. , PCI DSS, SOC 1/SOC 2, ISO 27001)
  • Execute control testing (including design and operating effectiveness) across key security control domains such as access management, vulnerability management, logging/monitoring, encryption, incident response, etc
  • Evaluate evidence submitted by operators of security controls, rate effectiveness, and initiate findings as required
  • Facilitate remediation of control gaps by partnering with control owners, control operators, and security engineers to clarify requirements, remove blockers, agree on target dates, and elevate overdue or high risk gaps through defined governance
  • Identify and communicate priorities for security control testing across the business, leveraging relationships with security control owners, knowledge of the risk environment, and awareness of metrics on control performance
  • Participate in documentation of control testing procedures and drive enhancements of control testing tools
  • Support internal/external assessments and audits by coordinating evidence, leading walkthroughs of control design/testing approach, and addressing inquiries in partnership with compliance and audit teams
  • NICE Framework references:
  • Mastercard Corporate Security Roles have been aligned with the NICE framework (National Initiative for Cybersecurity Education). For this role the NICE Work Roles most closely aligned are:
  • Security Control Assessment (OG-WRL-012): Responsible for conducting independent comprehensive assessments of management, operational, and technical security controls and control enhancements employed within or inherited by a system to determine their overall effectiveness
  • Systems Testing and Evaluation (DD-WRL-007): Responsible for planning, preparing, and executing system tests, evaluating test results against specifications, and reporting findings
  • Vulnerability Analysis (PD-WRL-007): Responsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense in depth architecture against known vulnerabilities
  • Cybersecurity Architect (DD-WRL-001): Responsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architecture, and the resulting systems that protect and support organizational mission and business processes
  • Systems Security Analyst (OM-ANA-001): Helps ensure secure configuration and operational security requirements are implemented and verifiable in production environments