Information Security Risk Officer, Bank of Montreal, Canada-Ontario-Toronto #UCF (Salary Not Disclosed)

April 5, 2019 | Job Postings

An information Security Risk Officer is responsible for applying Information Security Risk knowledge and expertise to assist with Second Line of Defense activities to help strengthen the enterprise information security posture and ensure regulatory compliance.


  • Working knowledge of compliance tools such as the Unified Compliance Framework (UCF) Common Controls Hub (CCH) helpful, but not required.
  • Bachelor’s degree in Information Technology, Computer Science, Business Administration, or relevant educational and professional experience
  • Advanced knowledge and experience on information security across all platforms and across all business units to include networking, applications, identity and access management, operating systems, cloud services, email gateway, privileged access management, vulnerability management, database security and endpoint security CISSP (Certified Information Systems Security Professional) certification or candidate for certification highly preferred
  • CISA (Certified Information Security Auditor), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control) or CIPP (Certified Information Privacy Professional) certifications helpful, but not required Experience working with ISO 27001 (or similar) security framework, PCI DSS and CSA CCM standards in operational IT environment required
  • Experience applying other security frameworks (e.g., CSF, COBIT), laws and standards (e.g. Sarbanes-Oxley, GDPR, HIPAA) helpful, but not required
  • Working experience with IT Security risk frameworks such as ISO 27005, OCTAVE, FAIR, NIST RMF very helpful
  • Operational experience in applying risk frameworks to technologies (including cloud, containers) and continuous processes (including DevOps and Agile software deployment) very helpful

Key Accountabilities

  • Ensure an independent view of information security capabilities, effectiveness and maturity, and create a real-time reporting mechanism with real-time data to support the view while keeping key stakeholders informed
  • Jointly accountable with 1st Line Information Security leaders to ensure that IS capabilities are effective, current, industry leading and conform to our standards
  • Provide effective challenge of strategy, day-to-day operations and gap remediation with the goal to ensure adequate protection of digital assets at the bank
  • Ensure that all controls are defined to ensure all regulatory requirements are met, designed effectively with clear documentation and implemented with clear visibility into the evidence that control is working effectively.
  • Ensure that all gaps in controls are proactively identified and action plans for risk treatment are in place and tracked with accountability established.
  • Ensure that each competency in the information security domain has a defined strategy.
  • Establish capability to review data on a real time basis to ensure risks are identified and treated in a timely manner.
  • Establish a quantifiable mechanism to report risks leveraging the FAIR methodology.

For More Info. Go To