Secure-by-Design Team Lead

Do you want your voice heard and your actions to count?

Discover your opportunity with Mitsubishi UFJ Financial Group (MUFG), one of the world’s leading financial groups. Across the globe, we’re 120,000 colleagues, striving to make a difference for every client, organization, and community we serve. We stand for our values, building long-term relationships, serving society, and fostering shared and sustainable growth for a better world.

With a vision to be the world’s most trusted financial group, it’s part of our culture to put people first, listen to new and diverse ideas and collaborate toward greater innovation, speed and agility. This means investing in talent, technologies, and tools that empower you to own your career.

Join MUFG, where being inspired is expected and making a meaningful impact is rewarded.

EDUCATION • Degree or equivalent work experience equally preferable. • Degree in Computer Science or related fields CERTIFICATIONS • Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC), CEPT, CEH, GPEN, ECSA, LPT, CISA, CRISC, or other security certifications desired WORK EXPERIENCE • Extensive experience in: • - technology and executing Cybersecurity assessments, providing guidance to business stakeholders, and interpreting and applying policies and standards • - risk assessment and information security practices • - a global, complex, matrix-managed organization • - penetration testing/vulnerability management • -Experience reviewing and providing guidance on Cybersecurity contractual terms and conditions • -Experience with large complex financial institutions or another highly-regulated industry • -Experience in performing information security assessments; provide information security guidance to business stakeholders; interpreting and applying information security policy and standards • -Experience in working with the SIG (Standard Information Gathering) questionnaire, SOC2 reports, Penetration Test results, PCI (Payment Card Industry) reports as well as other Information Security documentation • -Experience with one or more of the following control areas: • o Identity and Access Management • o Incident Response and Logging • o Encryption • o Secure Coding • o Vulnerability Management • o Configuration Management FUNCTIONAL SKILLS • "-Demonstrate in-depth knowledge of concepts, best practices and controls in a breadth of Cybersecurity areas/domains; these information security areas include risk management, access control, cryptography, physical security, security architecture and design, network security, application & operations security and compliance/incident management • -Strong technical and/or IT audit background and practical knowledge of a wide variety of technologies which include server infrastructure & operating systems, network & web infrastructures, database architecture and intrusion detection/prevention systems • -Proficient working knowledge within the following risk domains/technologies: • -Database and application security, • -IDS/IPS technologies, System/Access Administration, • -Firewall technologies, • -Network Architecture, • -Security Event Logging & Monitoring • -Key Management/Tokenization, • -Database/Application/Network Layer Secure Protocols, • -Physical and Environmental Security, • -Secure Software/Code Development, • -Change Management, • -Vulnerability Management. • -Knowledge of SOC2 Reports, SCA (Standardized Control Assessment) which replaced AUP (Agreed Upon Procedures) preferred • -Familiarity with one or more of the following areas: • ­ IP networks infrastructure (network topology, switches, routers, firewalls, intrusion detection / prevention) • ­ Windows Active Directory (policies, structure, elements) • ­ Databases (SQL, Oracle, DB2, monitoring tools) • ­ Standards / Frameworks (COBIT 5, ITIL, ISO 15504, ISO 20000, ISO 27000, ISO 31000, ISO 38500, NIST series 800 guidance) • -Ability to conduct Computer Network Defense (CND) analysis by performing Deep Packet Inspection (DPI) of network traffic to identify and analyze anomalies and potential security issues • -Working knowledge and experience applying Information Assurance techniques to the implementation of complex networked systems environments and enterprise wide systems • -Expert knowledge of applying network switching, TCP/IP, IP addressing and routing, WAN Technologies, operating and configuring networked devices, and managing network environments, extending switched networks with VLANs, determining IP routes, managing IP traffic with access lists, establishing point-to-point connections" FOUNDATIONAL SKILLS • Demonstrates leadership • Communicates effectively • Identifies multiple paths to success using analytical and critical thinking as well as decision-making skills • Operates strategically to support a culture of continuous improvement and systems thinking • Makes sound business decisions in a complex work environment • Collaborates with other business functions and divisions to advance business objectives • Is flexible, decisive, and able to establish support from leadership • Monitors industry trends and best practices and applies insights to advance the business • Exhibits and fosters optimism, resilience, flexibility, and openness to others' ideas • Inspires innovation and values learning as a lifelong professional objective • Leads by example, engaging inclusively and with intent • Always acts with integrity • Iterative problem-solving • Serving as a trusted advisor RESPONSIBILITIES • - Develop guidelines for the usage, control, maintenance and audit-readiness of information and computer resources that are used in the distributed processing environment • - Coordinate with Service Requesters, Third Party Managers, and Third Parties to conduct and execute Due Diligence of third-party systems and applications • - Assist and conduct contract reviews of cybersecurity terms and conditions to protect the company • - Participate and take a leading role in technical aspects of Due Diligence related to high profile projects involving a Third Party • - Contribute to the further development and maturity of the Third Party Risk Due Diligence process and methodology • - Effectively communicate with stakeholders, including recapping discussions involving key decisions • - Conduct training to standardize the assessment and ongoing monitoring processes • - Escalate issues associated with vendors as needed to management • - Coordinate with stakeholders to initiate, scope and plan controls assessments of new and existing information systems • - Develop, publish, and maintain team procedures and documents • - Assess completed questionnaire and supporting documentation to validate appropriate implementation of information security controls; analyze the information to identify information security weaknesses or non-compliance with and industry standards • - Produce detailed documentation of assessments and perform threat analysis of gaps identified • - Communicate information security issues to stakeholders, ensuring their understanding of associated risks and actions needed for remediation • - Adhere to and comply with all applicable, federal and state laws, regulations and guidance, including those related to • ­Anti-Money Laundering (e.g. Bank Secrecy Act, USA PATRIOT Act, etc.) • ­Adhere to policies and procedures • ­- Validate evidence before identified risks are closed • - Manage penetration testing, dynamic and static code analysis and analysis on the bank’s the infrastructure and application information security on an ongoing and project basis • - Mentor and manage team members • - Lead risk findings to resolution • - Vendor contract management • - Assess the efficiency, relevance, and integrity of collected data • - Identify control deficiencies by analyzing and identifying underlying root causes • - Design, implement, and collaborate on a range of information security metrics and performance reports • - Assist stakeholders in identifying, initiating, and tracking corrective actions to address anomalies • Evaluate effectively information security threats • - Analyze test results in an objective and quantifiable manner

We are open to considering flexible working requests in line with organisational requirements.

MUFG is committed to embracing diversity and building an inclusive culture where all employees are valued, respected and their opinions count. We support the principles of equality, diversity and inclusion in recruitment and employment, and oppose all forms of discrimination on the grounds of age, sex, gender, sexual orientation, disability, pregnancy and maternity, race, gender reassignment, religion or belief and marriage or civil partnership.

We make our recruitment decisions in a non-discriminatory manner in accordance with our commitment to identifying the right skills for the right role and our obligations under the law.