Job Purpose
1. Develop and maintain technology risk management framework, policies, procedures, guidelines
- Develop principles and methodologies for technology risk management, establishing technology risk limit, key risk indicators ... according to international practices, legal regulations, and internal governance requirements
- Standardize risk management activities including identifying, assessing, responding and monitoring technology and information security risks following industry best practice and international standards (NIST, ISO, COBIT ...)
- Develop technology & information security threat/ vulnerability/ scenario/ control catalogs
- Consult relevant units to develop BCP/DRP in bankwide level.
- Develop technology risk management capabilities and improve bankwide technology & information security risk awareness and culture
- Develop strategies, roadmap and action plans for TDRM
Key Accountabilities (1)
Establish and maintain the technology risk management framework
- Develop technology risk management framework, methodologies, regulations, policies, standards, procedures, guidelines.
- Enhance risk taxonomies, governance policies and operating models collaborating with ORM based on investigation findings to enhance robustness of existing risk mechanism
- Establish and allocate technology risk limits, key risk indicators (KORI) according to international practices, legal regulations, and internal governance requirements
- Periodic review & update technology risk strategies/ roadmap/ action plans, technology risk management framework
Key Accountabilities (2)
Assess technology risks, consult to develop mitigation solutions and monitor
- Review and approve technology risks in technology strategy, technology platforms, technology and business processes under the authority as prescribed
- Consult to develop solutions and methods to effectively mitigate and manage technology risk based on technology risk management framework, ensuring comprehensive risk management implementation
- Technical control assurance based on internal policies, government law and regulations, international security standards
- Independent investigate cybersecurity/ technology risk events or digital platform risks; analyzing root causes, proposing solutions/actions to mitigate and manage risks
Key Accountabilities (3)
Develop technology risk management capabilities, improve bankwide technology risk awareness and culture
- Research on emering technologies appying in banking operations to provide subject matter advices in managing emerging risks
- Build & implement technology risk management capabilities (i.e. competencies standard, training, upskilling, coaching and communication) to enhance bank's capability in managing technology risks in bankwide level
- Support other units to conduct training and communication to improve bank-wide technology risks awareness and culture
Success Profile - Qualification and Experiences
Experience
- At least 10 years of relevant work experience in IT field, including at least 4 years of IT risk management (1st or 2nd line of defence) experience
- Have experience in developing IT risk governance & management framework, risk management policies, procedures and guidelines.
- Have experience in IT infrastructure operation/ IT Architecture/ Cybersecurity operation/ DevSecOps/ Cloud Computing
- Have experience in IT Audit, IT compliance & assurance
- Have experience in developing IT risk management capabilities to enhance bank's capability in managing technology risks
Expertise
- Extensive knowlegde IT & cybersecurity risk management framework (COBIT, ITIL, ISO, NIST ...), internal information security laws & regulations (Circular 09/2020-NHNN, Circular 50/2024-NHNN, Cybersecurity Law, Personal Data Protection Law ...), and international information security standards (SWIFT CSP, PCI DSS, CIS ...)
- Deep knowledge in at least 2 of the following areas: IT infrastructure operation/ IT Architecture/ Cybersecurity operation/ DevSecOps/ Cloud computing
- Good knowledge of emerging technologies such as GenAI, Blockchain, Quantium technology, etc.
Qualifications
- Having a university degree or higher on Information Technology, Information System, Computer Science, Electronics & Telecommunications, Information Security or equivalent...
- English: TOEIC 650 or equivalent
- Professional certifications in IT Risk, IT Security: CISA/CISSP/CRISC/CISM/COBIT/ITIL ...
