Senior Associate -Technology Risk & Control

The Enterprise Technology Services organization partners with every part of the American Express business to power the company’s growth and innovation with trust and efficiency, and drive competitive differentiation with speed. We support the delivery and operations of technology, digital, and data capabilities, platforms, and services globally. Specifically, our team is responsible for the company’s technology engineering, architecture, and infrastructure, providing 24x7 support to ensure an uninterrupted, high-quality experience for customers and colleagues. We also provide product management for core enterprise platforms, and lead technology risk and information security, enterprise data governance and platforms, digital product and design, and enterprise AI platforms on behalf of the company

At American Express, our culture is built on a 175-year history of innovation, shared values and Leadership Behaviors, and an unwavering commitment to back our customers, communities, and colleagues. From delivering differentiated products to providing world-class customer service, we operate with a strong risk mindset, ensuring we continue to uphold our brand promise of trust, security, and service.

As part of Team Amex, you’ll experience our powerful backing with comprehensive support for your holistic well-being and many opportunities to learn new skills, develop as a leader, and grow your career. Here, your voice and ideas matter, your work makes an impact, and together, you will help us define the future of American Express.

The Sr Assoc-Tech Risk & Control function resides within the Regional Information Security Office and is responsible for control enforcement, cybersecurity awareness, reporting and enablement for American Express across APAC region. The incumbent will be responsible for helping design and execute an information security risk management program in line with business strategy and regulatory requirements.

• Contribute to the first line information security risk management and reporting.

  
  

• Assess the design effectiveness and operating effectiveness of information security controls which are relied on to protect Confidentiality, Availability, and Integrity of Information and Systems

  
  

• Collaborate with stakeholders across Bank and Enterprise to deliver various goals as part of information security program.

  
  

• Prepares status reports on information security, or other matters to help develop, track, monitor and report on projects and initiatives. 

  
  

• Consults on controls, processes, and procedures.

  
  

• Facilitates meetings to capture and document products/services or generic process changes.

  
  

• Identify, scope, and investigate new information security risks.

  
  

• Deliver leadership/regulatory reporting and risk metrics that demonstrate the effectiveness of the program at Asia pacific level.

  
  

• Identify and support information security regulatory changes and monitor implantation.

  
  

• Maintains internal documentation library, ensuring that process and other documentation is regularly updated to reflect the latest operational processes and requirements.

  
  

• Support the audit and examination requirements for the regional information security office function, in close partnership with privacy office, compliance, genera council and border information security organization.

  
  

• Consult on market-specific Business & Technologies projects to ensure appropriate security protection.

  
  

• Craft responses to Information Security audit and examination requirements for the market

  
  

• Operate as part of the extended Information Security team in support of all security and compliance initiatives.

  
  

• Experience working with regulators like Indian and Asia pacific regulators in complex regulated payments industry.

  
  

• Broad understanding of information security disciplines with emphasis on vulnerability management, data protection, infrastructure security, application security, identity and access, incident management and data analytics

  
  

• Strong in risk management. Ability to link threats to risk tolerance and control effectiveness measurements.

  
  

• Understanding of cyber regulatory landscape

  
  

Required Work Experience, Education, Certification / Training:

• Bachelor’s degree in computer science, information systems, network security or another related field. Master’s degree preferred.
• Professional certifications (CISSP, CRISC, CISA, PCI, CISM or equivalent)
• At least 5 years’ work experience in information security or technology risk management
• Technical background with hands-on experience across a variety of technologies
• Proficiency in information security, risk management and audit (risk/security policies, procedures and controls)

Required Knowledge, Skills and Abilities:

• Exceptional verbal and written communication skills
• Strong work prioritization, planning, and interpersonal skills 
• Knowledge or awareness in information security, compliance, assurance, and/or other security standard methodologies and principles
• Strong knowledge and experience in risk assessment and relevant methodologies including quantitative risk management techniques.
• Knowledge of applicable information security standards and regulatory requirements
• Highly self-motivated and directed.
• Keen attention to detail