The Chief Technology Office (CTO) Information Security Team is responsible for managing application security risks and providing necessary support to Technology teams.
The Technical Information Security Officer plays a key role in ensuring compliance with Citi's Information Security standards and policies.
The CTO is a global organization with major presence in North America, LATAM, EMEA and ASPAC region.
The Technical Information Security Officer Application Security Analyst will work with the system development areas to ensure proper technology risk considerations are addressed at each phase of the system development life cycle (SDLC) and provide proactive solutions to correct exposures or mitigate risk.
Interpret security standards, procedures, and guidelines for multiple platforms and diverse environments (e.g.
client server, distributed, mainframe, etc.) in designing solutions, recommending enhancements or defining mitigating controls to existing systems.
The individual should demonstrate an understanding of application security and will exercise judgment within existing practices and policies.
Perform information security risk assessment on new applications and changes to applications
Reports IS gaps to IT as applicable with appropriate recommendations
Create corrective action plans for non-compliant issues working with application development team
Recommend security solutions according to Security Policy and Practices established by Citigroup
Promote awareness of current policies and standards, as well as revisions and developments; provide consistent interpretation of policy to IT
Establish and maintain relationships with domain architects, project managers, and others within the technology development unit.
Engage in the initial requirements definition (including analysis of threats and risks and alignment with Citi IS and Architecture standards)
Conduct threat modeling and architecture risk analysis, including Secure SDLC testing requirements throughout the development lifecycle
Facilitate \"table-top\"/red-team/scenario analysis exercises in conjunction with other SME's
Plan the resolution of any identified vulnerabilities/issues
Security review of applications including responsibility for driving requirements definition and risk analysis
Facilitate and support threat/architecture reviews and scenario analysis/red team/tabletop exercises
Identify enhancements to IS tools, standards, and processes
Provide SME support to projects and programs
Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions.
Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.
Our core activities are safeguarding assets, lending money, making payments and accessing the capital markets on behalf of our clients.
Citi s Mission and Value Proposition explains what we do and Citi Leadership Standards explain how we do it.
Our mission is to serve as a trusted partner to our clients by responsibly providing financial services that enable growth and economic progress.
We strive to earn and maintain our clients and the public s trust by constantly adhering to the highest ethical standards and making a positive impact on the communities we serve.
Our Leadership Standards is a common set of skills and expected behaviors that illustrate how our employees should work every day to be successful and strengthens our ability to execute against our strategic priorities.
Diversity is a key business imperative and a source of strength at Citi.
We serve clients from every walk of life, every background and every origin.
Our goal is to have our workforce reflect this same diversity at all levels.
Citi has made it a priority to foster a culture where the best people want to work, where individuals are promoted based on merit, where we value and demand respect for others and where opportunities to develop to are widely available to all.
Bachelor s degree required or equivalent work experience
5+ years of Information Security Knowledge of Information Security, IT Risks and Controls assessment
Application Security risk assessment experience required
Good understanding of the Information control areas including Authentication, Authorization, Access Control, auditing, cryptography for applications
Good Knowledge of OWASP Guidelines for application security
Good Knowledge of software development processes, integration of security assessments in Software development life cycle (SDLC) process, secure coding is desirable
Experience with vulnerability assessment and related risk assessment tools and/or application development experience is a plus
Application development experience is a plus
Experience as application security consultant / penetration tester / security architect
Must have SME level knowledge of web application vulnerabilities and web application business logic flaws and threats
In depth, hands-on understanding and application architectures and technology (including web applications, mobile technology, identity and access management)
Demonstrable experience with mobile application security, HTML5, Web Services assessment, identity management will be highly regarded
Thorough understanding of industry and corporate technology standards for Information and Application Security
Detailed familiarity with code reviews and security hacking tools and techniques
Ability to work with and influence developers, development managers, project managers, technology peers, and business contacts are required
Strong problem solving/analytical skills
Proficient in MS Office products, particularly PowerPoint & Excel
Exhibit strong influencing / negotiation skills as well as written/verbal communication skills
Experience working under minimal supervision from management with a strong commitment to team participation
Professional certifications, such as CISSP or willingness to obtain certification within 12-18 months of start date