Citi Technical Information Security Officer - Risk Management - AVP in Irving, Texas

  • Primary Location: United States,Texas,Irving

  • Other Location: United States,Florida,Tampa

  • Education: Bachelor's Degree

  • Job Function: Technology

  • Schedule: Full-time

  • Shift: Day Job

  • Employee Status: Regular

  • Travel Time: Yes, 10 % of the Time

  • Job ID: 16053320


About Citi

Citi, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.Our core activities are safeguarding assets, lending money, making payments and accessing the capital markets on behalf of our clients.

Citi’s Mission and Value Proposition at explains what we do and Citi Leadership Standards at explain how we do it. Ourmissionis to serve as a trusted partner to our clients by responsibly providing financial services that enable growth and economic progress. We strive to earn and maintain our clients’ and the public’s trust by constantly adhering to the highest ethical standards and making a positive impact on the communities we serve. Our Leadership Standards is a common set of skills and expected behaviors that illustrate how our employees should work every day to be successful and strengthens our ability to execute against our strategic priorities.

Diversity is a key business imperative and a source of strength at Citi. We serve clients from every walk of life, every background and every origin. Our goal is to have our workforce reflect this same diversity at all levels. Citi has made it a priority to foster a culture where the best people want to work, where individuals are promoted based on merit, where we value and demand respect for others and where opportunities to develop to are widely available to all.

A Technology Information Security Officer (TISO) is required within ICG Technology Risk Management to support Global Markets Technology development unit, with primary responsibilities to perform application risk assessment processes, to provide guidance to the development teams, and ensure applications entering production are secure.

The ICG Technology Risk & Controls Team is responsible for managing risk and providing controls and compliance guidance and support to Technology Development Units by ensuring compliance with Citi standards, policies, and procedures, liaising with internal and external auditors and coordinating audit responses. The team needs to expand its capability to address the increasing numbers of vulnerabilities and security issues found in production application environments.

The TISO will have strong technical acumen and should establish relationships with application managers, domain architects, project managers and other disciplines within the Application Technology units. The TISO will be a focal point for ensuring that there is a strong Information Security environment as well as ensuring applications, or systems, deployed in support of a business provide a level of protection appropriate to the class of information managed in those systems.

Risk Management Responsibilities

  • Facilitate departmental compliance with all Information Security policies, standards and regulations (Sarbanes Oxley (Sox-404), Operational Risk, Cross-border Data Privacy, GLBA, etc.)

  • Conduct Application Security Assessments (ISRP, ACQ/Threat Assessments, EVA/IVA on new, existing and vendor and in-house applications, etc.)

  • Review and approve (e.g., unwrapped software, Functional IDs, USB / Local Admin access, SSL Certificates, Firewall Requests, toxic entitlements, etc.)

  • Liaise with Business Information Security Officers and application development community to assist in identifying and reducing IS risk within applications to acceptable levels

  • Monitor risk mitigation process and risk oversight

  • Engender a culture of secure coding practices as part of SDLC process

  • Act as a subject matter expert on all aspects of Application Information Security

  • Drive execution of directives as mandated by Global IS Organization

Reporting and Governance Responsibilities

  • Compile data and prepare application IS risks reports for management

  • Analysis and identification of potential non-compliance issues

  • Monitor progress of corrective action plans and risk exceptions

  • Lead and /or contribute to ad-hoc requests and projects as required

  • Act as subject matter expert on Application Information Security topics during Audit meetings

  • Identify opportunities for process improvement

  • Facilitate compliance to defined standards and develop tools to assist compliance

  • Alignment of processes across regions and globally, where possible

  • Participation in Corporate and ICG-level working groups

  • Propose and implement appropriate emergency access procedures commensurate with Information Security risk.


  • Minimum of 5-8 years of Information security experience

  • Bachelors degree, or higher in a technical discipline

  • 3-5 years experience of Project Management and / or Web Development / Application Development / Architecture.

  • Experience with Software Development Life Cycle; Citi SDLC a plus.

  • Understanding of Operating Systems (e.g., UNIX, Linux, WINTEL), Databases (e.g., Oracle, SYBASE, MS-SQL), and Programming Languages (e.g., JAVA, .Net, C/C++).

  • Working knowledge of application security, secure coding, and development tools and practices with expertise in any one or more of the following area: authentication and encryption solutions, web application security, mobile technologies, application architecture reviews.

  • Knowledge of Information Security, IT Risk and Controls

  • Knowledge of Citi Information Technology Management Standards, Policies and Practices

  • Proficient in MS Office products, particularly PowerPoint & Excel.

  • Professional certification, such as CSSLP and CISSP, or willingness to obtain certification within 12-18 months of start date

  • Exhibit strong influencing / negotiation skills as well as written/verbal communication skills.