control testing job descriptions
. They will be the same key roles and responsibilities, but each headcount will have specific focus/expertise as outlined in 1-4 below. This should give high level summary of specific qualification/experience in resources that we look for.
- Information Security/Cyber Security
- Infrastructure, cloud platform, network, and service management, software engineering/SLDC
- Data
- ITGC and business application controls
Key Role & Responsibilities
- Conduct and document thorough walkthrough of IT controls
- Design test plans and document test steps to assess the control design and operating effectiveness
- Create/prepare a document request list and work with control owners/performers to obtain evidence supporting the control execution and validation that the control is working as intended.
- Complete control testing workpaper and maintain detailed records of testing results, findings, and recommendations.
- Address workpaper review comments and independent review and challenge from the Second Line of Defense
Specific Skillsets & Experiences
- Experience with IT internal audit or other risk assurance functions
- Knowledge of industry and compliance frameworks i.e., NIST cybersecurity framework, CIS, ITIL, PCI, FedRAMP
- Strong understanding of risk management methodologies, and security control testing techniques.
- Strong verbal and written communication skills, with the ability to lead walkthroughs with control owners/performers, and construct questions and follow-ups.
- Focus on each headcount:
Information Security/Cyber security focus - Technical skills and experiences with particular focus/familiarity on the following control areas or tools, but not limited to:
- Network security - firewall, NAC, Network Intrusion Prevention/detection, WAF, Web filtering/Web traffic (i.e., FireMon, Cisco ISE, Cloudflare etc.)
- Cyber data protection/data security - DLP, data discover/classification, email security, cloud data security/CASB, database security and encryption (i.e., Trellix, Proofpoint, Varonis, Purview, Imperva)
- Servers and endpoint security - Antivirus/Antimalware, Device, protection, Endpoint privilege access (i.e., Crowdstrike, Absolute, Beyond Trust)
- Cyber defense SIEM, MSSP, and SOC for log forwarding/ingestion/and monitoring, Cyber Threat Intelligence
- Cloud platform security
- Application and API security – OWASP principles, SAST, SCA, DAST, secret scanning
- Access and Authentication/Privilege access (i.e., SailPoint, Okta/Auth0, Delinea)
Infrastructure, cloud platform, and network, and service management, software engineering/SDLC focus - Technical skills and experiences with particular focus on the following control areas/concepts, but not limited to:
- Server and Directory service management – Build/image, configuration management, certification management, backup and recovery, Active Directory, Patching
- Workstations, Virtual Desktops, Mobile Devices – Build/Image, MAM, Patching
- Cloud platform management – AWS/AWS well-architected framework, Azure, IaC/automated build template
- Platform and application observability
- Disaster recovery – Data center DR test, High availability, cloud recovery
- Service management – Hardware/software asset management, software licensing, CMDB, change management, incident and problem management
- SLDC – DevSecOps concept, Coding services (IaC, service mesh etc.), Code repository, CI/CD, Quality engineering and quality assurance
Data focus - Technical skills and experiences with particular focus on the following areas/concepts, but not limited to:
- Database administration – Database design/structure, access controls, build, configuration, backup, jobs, and other maintenance and security measures (i.e., SQL, PostgreSQL)
- Data warehouse platform/data development/transformation – Design/architecture, Data modeling, ETL, data obfuscation and masking (i.e., Snowflake, Coalesce)
- Data transit/exchange connection/data file transfers – Monitoring, Logging, Secure file transfer/protocols, error handling
- Data governance and quality management – Metadata management, Data lineage, Data quality rules, Data defect management (i.e., Collibra)
ITGC and business application controls / SOX focus (e.g., system interface and integration) - Technical skills and experiences with particular focus on the following areas/concepts
- Testing of SOX ITGC / IT general controls
- Testing of business applications controls – Automated application interface and integration, system/application
Please share your profile at surbhi.malhotra@nlbtech.com