Principal Technology Risk Analyst

Enterprise Technology Risk & Analytics (ETRA) is seeking a passionate, driven, and experienced technology professional to join our team.

The Role
The individual in this role will be based in Merrimack, Boston, Smithfield, or Westlake and report to the Director of Technology Risk for Advanced Process Solutions (APS), Customer Contact Center (EC3) and Enterprise Infrastructure & Operations (EI&O), within ETRA. The individual will work closely with our business units, Internal Audit, Risk, Information Security Officers (ISOs), and Fidelity external auditors and regulators.  

You will work closely with various ETRA Centers of Excellence (COEs), perform proactive risk and control assessments, monitor technology controls, document and oversee remediation plans, participate in corporate audits, and provide External Audit support.  You will be responsible for monitoring and escalating business impacting incidents to ETRA and LRC senior leaders and develop/maintain associated reporting.  

This is also a great opportunity to work closely with the BU Technology teams on emerging technologies supporting modernization efforts.  
 

The Expertise You Have
•    5-8 years of experience in information technology risk management, audit and/or compliance, or cybersecurity with significant experience in information technology controls review; experience in financial services audit organization preferred  
•    BA/BS, preferably in technology or related field of study
•    Demonstrated technical abilities in multiple areas (e.g., technology infrastructure and application controls, cybersecurity, access management, resiliency, data loss prevention (DLP), network, cloud, etc.)
•    Experience performing technology risk assessments, control assessments or IT Audits
•    Ability to represent complex programs to external auditors and regulators
•    Experience or knowledge of cloud-based deployments, DevOps, and associated risk/controls and auditing requirements preferred
•    Expertise and hands-on experience in ITSM processes, at an enterprise level
•    Professional technology risk certifications or interest in pursuing (CISSP, CISA, CRISC, CISM) preferred
 

The Skills You Bring
•    You have a strong knowledge of information technology processes and controls and a comprehensive understanding of risk, quality control and assurance functions.
•    Your ability to build and maintain collaborative working relationships with Information Technology and Business personnel 
•    Your love of solving complex problems, comfort with ambiguous situations, and your ability to help solution innovative ways to mitigate risk using your advanced analytical and critical thinking skills
•    Your process orientation and understanding of operations and technology enabling you to provide support in the analysis, development, and monitoring of controls
•    Your ability to manage multiple projects concurrently and to work under pressure to meet tight timeline commitments
•    Experience performing risk assessments, control assessments, IT audits or implementing technology controls for large scale financial service organizations (mainframe, distributed, network and cloud environments)
•    Knowledge of industry standards, frameworks, and best practices, such as NIST, SOC1, SOC2, ISO27001, ISO27701, ISO22301 
•    Your skillset and hands-on experience with ITSM processes and oversight
•    Your excellent verbal and written communication skills enabling you to prepare and present recommendations to business partners and senior management
•    Advanced computer literacy with word processing, spreadsheet, process flow and presentation applications
•    Your comfort with data analytics and ability to consume and distribute data
•    Knowledge of governance, risk, and compliance (GRC) tools, such as Archer is preferred
•    Understanding of application development, deployment and management patterns, especially DevOps and CI/CD practices is preferred
 

The Value You Deliver
•    Ability to act as a leader on the team, who is comfortable sharing your thoughts and POV to senior management
•    Desire to continuously learn and stay up to date on an ever-changing technology landscape.
•    Assessing the various information technology risks that the business units face in their operations and implementing action plans, policy and procedural changes for risk avoidance and mitigation
•    Conducting in depth information technology risk assessments, which include documenting controls, identifying potential gaps or inconsistencies, creating detailed process flows, and making sound recommendations for improvement and/or mitigation
•    Conducting readiness reviews and IT General Control reviews for large information technology development projects ensuring appropriate systems development lifecycle methodologies are being applied and necessary controls are in place
•    Identifying/designing appropriate KPIs/KRIs for IT risk monitoring 
•    Understanding and consulting on information security standards and industry best practices
•    Ensuring associates are trained and knowledgeable about information technology controls
•    Reviewing third party vendors and contracts to ensure appropriate controls are in place and function effectively 
•    Tracking action plans to ensure findings are remediated appropriately, and in a timely manner 
•    Liaison with Internal and External audit teams, tracking internal and external audit findings, perform issues follow-up, consulting and action plans with owners and issue resolution.
•    Providing risk perspective for technology incidents, track risk findings related to incidents, and serve as a liaison for technology risk management
•    Evaluating control maturity by performing control design and operating effectiveness reviews and peer reviewing as needed

The Team

The Technology Risk team oversees the management of controls, and the mitigation of risk related to our technology infrastructure and processes, focusing on protecting the interests of our clients, customers, employees, and company. Our team’s focus is technology risk the for EI&O Business unit.​

Fidelity’s hybrid working model blends the best of both onsite and offsite work experiences. Working onsite is important for our business strategy and our culture. We also value the benefits that working offsite offers associates. Most hybrid roles require associates to work onsite every other week (all business days, M-F) in a Fidelity office.

Please be advised that Fidelity’s business is governed by the provisions of the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, the Investment Company Act of 1940, ERISA, numerous state laws governing securities, investment and retirement-related financial activities and the rules and regulations of numerous self-regulatory organizations, including FINRA, among others. Those laws and regulations may restrict Fidelity from hiring and/or associating with individuals with certain Criminal Histories.