Team Leader Information Security Operations , Kraków
OANDA is a global leader in online multi-asset trading services, currency data, corporate payments and FX services.
Everyone at OANDA is focused on our vision to transform how our customers can meet all their currency needs. From our roots in 1996 that provided free currency exchange information to launching a multi-award winning global FX and CFD trading business to our recent new venture of money transfer. OANDA is now a major global player.
Team Lead Information Security Operations: Plan, implement, upgrade, and monitor security alerts / indicators for the protection of OANDA’s digital assets, and information. Ensures appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure. Develops plans to protect against, and responds to computer security incidents, security / data breaches, and viruses. The Team Lead Information Security Operations updates and maintains control matrices and spreadsheets and provides recommendations for management’s consideration. This position ensures compliance with OANDA’s internal controls, regulatory and information security policies and procedures. The incumbent works with internal audit, external audit firms, and regulatory agencies to provide supportive documentation as applicable May lead coordination on projects, and/or system maintenance activities.
- Business Requirements Identification: Collect business requirements using a variety of methods such as interviews, document analysis, workshops, and workflow analysis to express the requirements in terms of target user roles and goals.
- Database Specifications: Lead the approval process for database specifications to ensure all agreed standards and protocols are followed and data integrity is preserved.
- Data Governance: Lead aspects of Data Governance with guidance from senior colleagues. This includes being responsible for leading the authoring, developing, and operating basic elements of data governance to deliver prescribed outcomes.
- Information Security: Lead the Implementation and provide input on the design and improvement of required security measures to (but not limited to) user applications, firewalls, application servers, user endpoints, message / data encryption standards.
- Analysis of "As Is" and "To Be": Lead the documentation of "as is" and "to be" posture and processes and recommend the changes required to migrate to the "to be" capability to record accurately the change required.
- Testing IT Performance: Perform website/applications software tests and work with OANDA teams to demonstrate and validate and, where applicable, lead the remediation of confirmed vulnerabilities.
- Documentation and Back up: Lead the creation and maintenance of technical and/or user documentation to a high standard.
- Technical Developments Recommendation: Research and suggest technical developments to improve the security / resiliency of OANDA applications, supporting infrastructure, as well as internal user-facing assets.
- Personal Capability Building: Develop own capabilities by participating in assessment and development planning activities as well as formal and informal training and coaching; gain or maintain external professional accreditation where relevant to improve performance and fulfil personal potential. Maintain an understanding of relevant technology, external regulation, and industry best practices through ongoing education, attending conferences, and reading specialist media. Lead security meetings with other teams and the presentation of findings with clear / concise action plans to senior management.
- Vulnerability Management: Develops vulnerability management strategies and capabilities. Uses approved tools and techniques to scan OANDA infrastructure and applications to detect security vulnerabilities. Uses various reporting methods to articulate the severity and business impact of such vulnerabilities at a senior-management / Executive ready level, and works with system custodians / application owners to remediate identified vulnerabilities. Assists in the selection of third-party organizations to conduct external vulnerability scans and penetration testing, to meet regulatory requirements.
- Security Awareness: Uses subject matter expertise to either produce or assist in the production of relevant training material to increase and build employee defense against security threats, such as malware, phishing, and physical security.
- Incident Planning, Detection and Response: Authors and/or contribute to Incident Response Playbooks to ensure that OANDA is prepared to respond to security incidents in a consistent and professional manner. Prepares Security Incident Reports and Compliance Reports, as needed, to a high-standard at a level fit for Regulatory oversight. Creates and manages security alerts for the timely identification of security incidents and responds to such incidents, in line with established Playbooks. Invokes the Security Incident Response Plan, when required, and keeps Stakeholders informed throughout the incident lifecycle. Conducts incident post-mortem reviews, and documents lessons-learned, seeing recommendations through to completion.
- Risk Management: Evaluates risks and develops security standards, procedures, and controls to manage risks. Improves OANDA’s security positioning through process improvement, policy, automation, and the continuous evolution of capabilities.
- Governance: Performs and investigates internal and external information security risk and exceptions assessments. Assess incidents, vulnerability management, scans, patching status, secure baselines, penetration test result, phishing, and social engineering tests and attacks.
- GRC: Implements processes, such as GRC (governance, risk and compliance), to automate and continuously monitor information security controls, exceptions, risks, testing. Develops reporting metrics, dashboards, and evidence artifacts. Define and document business process responsibilities and ownership of the controls in GRC tool. Schedules regular assessments and testing of effectiveness and efficiency of controls and creates GRC reports.
- Audit and Regulatory Compliance: Responding to external regulatory questionnaires, working with Internal Audit to ensure that Regulatory requirements are responded to accurately, with supporting evidence. Leads remediation effort of gaps detected by external auditors, works with internal teams and Internal Audit to ensure that gaps are remediated effectively and efficiently.
- Ethical hacking: Aim to expose weak points and identify potential threats so that the organization can protect itself from malicious hackers. This includes penetration testing during which an analyst will test networks, computers, web-based applications, and other systems to detect exploitable vulnerabilities.
- Computer forensics: Aim the prevention of crime through the collection, analysis, and reporting of data. To create evidence in the event of a breach.
- Reverse engineering: To comprehend why a piece of software does what it does in order to patch a bug or analyse malware.
- Data Collection and Analysis: Works independently and provides guidance and training to others on analysing data trends for use in reports to help guide decision making.
- Action Planning: Works without supervision and provides technical guidance when required on developing appropriate plans or performing necessary actions based on recommendations and requirements.
- Compliance Management: Uses comprehensive knowledge and skills to act independently while guiding and training others on achieving full compliance with applicable rules and regulations in management and/or operations.
- Data Control: Applies comprehensive knowledge and skills to work independently while providing guidance and training to others on acquiring, organizing, protecting and processing data to fulfil business objectives.
- Planning and Organizing: Uses comprehensive knowledge and skills to work independently while providing guidance and training to others on planning, organizing, prioritizing and overseeing activities to efficiently meet business objectives.
- Policy and Regulation: Works independently and provides guidance and training to others while interpreting and applying comprehensive knowledge of laws, regulations and policies in area of expertise.
- Business Requirements Analysis: Uses comprehensive knowledge and skills to act independently while guiding and training others on analysing the business requirements that IT solutions must meet. Determine acceptance and evaluation criteria; Prioritization; Observation; Focus groups; Analysis Skills.
- IT Support: Uses comprehensive knowledge and skills to act independently while guiding and training others on monitoring, diagnosing and fixing technological problems.
- Identity and Access Management knowledge
- Network/IT security: Uses comprehensive knowledge and skills to act independently while guiding and training others on maintaining the security, integrity, compliance and continuity of IT systems and services. Experience with firewall rule review a must.
- Policy and procedures: Uses comprehensive knowledge and skills to work independently while providing guidance and training to others on developing, monitoring, interpreting and understanding policies and procedures, while making sure they match organizational strategies and objectives.
- Assessment: Works without supervision and provides technical guidance when required on analysing data from multiple sources to draw appropriate conclusions and make suitable recommendations.
- Phishing Campaign program knowledge
- Minimum 3 years of experience in people management.
- General Experience: Previous experience of 7-10 years specifically in the information security industry
- Industry Credentials: CISSP (minimum), plus CISA or CISM
- Working knowledge of industry security standards such as SOC2, ISO27001/ISO27002, NIST, etc.Demonstrated experience working with security technologiesDemonstrated experience with implementing internal processes to manage information security initiativesExperience with compliance and regulations in the financial industryExperience writing security policies, standards, guidelines and processes
- Certifications such as Certified Ethical Hacker, CompTIA Network+, CWAPT Certified Penetration Tester, Certified Reverse Engineering Analyst
OANDA Global Corporation is a diverse and global team with offices around the world. We value the unique skills and experiences each individual brings to OANDA. We are committed to creating and sustaining a collegial work environment in which all individuals are treated with dignity and respect and one which reflects the diversity of the community in which we operate. We provide an inclusive and accessible environment for everyone.
Candidates selected for an interview will be contacted directly. If you require accommodation during the recruitment and selection process, please let us know. We will work with you to provide as seamless a recruitment experience as possible.
Learn more about our culture here
Instagram | Twitter | LinkedIn | YouTube