T S
No H1
Hybrid role
Position Summar
The Sr Technology Risk Engineer is responsible for the delivery of the program elements of all
first line of defense risk activities directly or indirectly impacting Information Technology and
Information Security within Flagstar. The Sr Information Technology Risk Engineer will leverage
experience in business and technical acumen environment to execute the technical program activities
in the areas of audit, technology, compliance, risk management and security. The position will be
responsible for delivery of an Information Technology Risk program with clear, defined operational
policy, standards and procedures related to Information Technology and Security.
Job Responsibilities

• Design/execute specific Information Technology and Security risk program elements to mitigate

enterprise IT and security risks throughout the Bank. Be a role model to more junior members of the
team.

• Design/engineer/execute the implementation of the components of the Information Technology Risk

Program to include external compliance, internal audit, security, vendor management, operational
risk, quality assurance and quality controls for technology and information security.

• Design/engineer/execute internal and external compliance technology audits and regulatory exams,

representing Information Technology throughout the lifecycle of the audit. (planning through
remediation strategy)

• Execute the first line of defense Risk Management functions for IT meeting the Enterprise Risk

Management (ERM) program elements, processes, and compliance requirements. Execute the Risk
Controls Self-Assessment process for Information Technology and Information Security.

• Execute Awareness and Training for Risk Program elements to enhance awareness and training

appropriate for Flagstar’s needs to ensure that risk responsibilities are understood and carried
out throughout the enterprise.

• Design and execute implementation of Governance, Risk, and Control frameworks and systems based

on recognized best practices such as COBIT, ISO, NIST, GLBA, SOX, FFIEC, etc.

• Ensures compliance with applicable federal, state, and local laws and regulations. Completes all

required compliance training. Maintains knowledge of and adhere to Flagstar’s internal compliance
policies and procedures. Takes responsibility to keep up to date with changing regulations and
policies.
Job Requirements

• Bachelor's Degree in a related field is strongly desired.
• Certified Information Systems Security Professional (CISSP), Certified Information Security

Manager, (CISM), Certified Information Systems Auditor (CISA), or Certified in Risk and Information
Systems Control (CRISC) preferred.

• 6 years of experience working in technology audit, Information Security, or Information

Technology required.

• 2 years of SOX IT control execution or testing or IT auditing experience or IT risk.
• Three years of Information Security or IT experience.
• Demonstrated experience in Risk and Control Self Assessments, Audits, or exams for technology or

information security.

• Demonstrated ability to audit general IT controls including related infrastructure (Active

Directory), operating systems (UNIX, Linux, Windows), databases (Oracle DB and MS SQL DB), and
applications (Oracle, PeopleSoft, Salesforce, etc.).

• Design and perform root cause analysis, control gap assessments, and process improvement

projects using technical and problem solving and critical thinking skills to quickly identify
internal control deficiencies, evaluate their risk implications, and draw the appropriate
conclusions.

• Understand Industry standard frameworks for technology, such as COBIT, ISO, NIST, SANS, and

others to design Governance, Risk and Control frameworks, and systems for technology and
information security.

• Design and develop internal control documentation including narratives, process and data flows,

and other supporting work papers.

• Moderate to in-depth understanding of business environment and risks associated with the

financial services industry, IT environments, and information dataflow.

• Understand IT audit principles and audit procedures, and determining and evaluating the severity

of potential issues identified during testing, and to provide guidance to more junior team members.

• Understand IT organization business processes and systems (IT Security, data management,

architectural and planning, technology life cycle management, regulatory concerns).

• Participate in multiple projects concurrently, works under pressure well.
• Strong verbal and written communication skills with comfort around presenting new ideas and

presentations to senior management.

• Demonstrated track record of meeting time commitments.
• Demonstrated track record of working effectively across functional and organizational

lines.

• Demonstrated knowledge of risk management tools.
• Ability to work in teams, and/or as an individual contributor.