Senior Technology Risk Analyst

Position Description:

Provides risk and controls consulting on DevOps, Cloud migration, and new technologies. Coordinates Enterprise external audit technology engagements including Service Organization Controls (SOC) 1 and attestation reports in close partnership with the business unit technology risk teams. Works with technology teams, business owners, Enterprise Cybersecurity (ECS), Enterprise Infrastructure (EI), Cloud and Platform Engineering (CAPE), BU Technology partners, BU Operations Risk, and external auditors. Leverages analytical tools to gather data, analyze the information and uncover key insights that can be presented through data visualizations planning and coordination of audit cycles with external auditors and internal stakeholders. Applies the concepts of application development, deployment, and management patterns, and DevOps and Continuous Integration and Continuous Delivery (CI/CD) practices in the risk assessment. Performs risk assessments, control assessments, and IT Audits, or implements Cybersecurity controls in mainframe, distributed, network and Cloud environments. Presents the risk findings using business intelligence and visualization tools including Excel, Alteryx, Tableau, or Power BI. 

Primary Responsibilities:

• Develops and monitors controls related to DevOps, Cloud, and new technologies to meet audit objectives and requirements.

• Identifies, tracks, monitors, reports, and advises any risks to external audit engagements.

• Helps enhance and run external audit oversight program activities, including defining and executing the external audit strategy and program.

• Develops best in class standards and practices for external audits.

• Works closely with the various business unit technology risk and Enterprise Technology Risk (ETRA) Center of Excellence (COE) to perform proactive risk and control assessments for externally audited environments, monitors technology controls, and documents remediation plans.

• Conducts in depth information technology risk assessments including documenting controls, identifying potential gaps and/or inconsistencies, and making sound recommendations for improvement and/or mitigation.

• Develops analytics to proactively identify risk across the firm mainly in high impact areas including logical access, application resiliency, cloud, and vendor.

Education and Experience:

Bachelor’s degree in Computer Science, Engineering, Information Technology, Information Systems, Management Information Systems, Business Administration, or a closely related field (or foreign education equivalent) and three (3) years of experience as a Senior Technology Risk Analyst (or closely related occupation) performing Information Technology (IT) audits, risk assessments, and cybersecurity control review. 

Or, alternatively, Master’s degree in Computer Science, Engineering, Information Technology, Information Systems, Management Information Systems, Business Administration, or a closely related field (or foreign education equivalent) and one (1) year of experience as a Senior Technology Risk Analyst (or closely related occupation) performing Information Technology (IT) audits, risk assessments, and cybersecurity control review.

Skills and Knowledge:

Candidate must also possess:

• Demonstrated Expertise (“DE”) performing and coordinating external audit engagements for a large distributed enterprise -- SOC 1, 2, and 3, controls attestation reports, financial audits, and ISO 27001 external IT audit programs; coordinating responses to auditor requests for information with internal IT organizations; maintaining in-scope IT General Control (ITGCs) and IT Application (ITAC) documentation and procedures; and providing recurring management status reporting.  

• DE executing IT controls assurance programs by identifying and designing new controls, evaluating control procedures and evidence documentation, and conducting control assessments through formal design and operating effectiveness reviews; establishing control maturity and control/process enhancements using industry control frameworks -- American Institute of Certified Public Accountants (AICPA) Trust Service Criteria, ISO 27002 code of practice for information security management, Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and Related Technologies (COBIT), or National Institute of Standards and Technology (NIST) CSF. 

• DE performing risk and IT audits; implementing ITGC or cybersecurity controls for large-scale, complex IT infrastructures -- mainframe, distributed, network, Cloud, vendor hosted (SaaS/PaaS); reviewing vendors independent SOC 1 or SOC 2 audit reports to confirm vendor has appropriate controls in place for the services provided or to safeguard data; and creating executive communications, focused on risk, impact, and corrective actions, using existing Governance, Risk, and Compliance (GRC) tools (RSA Archer, IBM Open Pages, ServiceNow, or MetricStream). 

• DE performing risk assessments and IT audits of secure software development lifecycle (SDLC) processes and procedures; automating code build and deployment pipelines or orchestration solutions, using GitHub, SonarQube, Jenkins, Artifactory, or uDeploy; assessing software development controls, identifying potential gaps and inconsistencies, and making recommendations for improvement and mitigation; and overseeing remediation plans and providing recurring management status to senior management.

#PE1M2

#LI-DNI

Most roles at Fidelity are Hybrid, requiring associates to work onsite every other week (all business days, M-F) in a Fidelity office. This does not apply to Remote or fully Onsite roles.

Please be advised that Fidelity’s business is governed by the provisions of the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, the Investment Company Act of 1940, ERISA, numerous state laws governing securities, investment and retirement-related financial activities and the rules and regulations of numerous self-regulatory organizations, including FINRA, among others. Those laws and regulations may restrict Fidelity from hiring and/or associating with individuals with certain Criminal Histories.