This role is responsible for ensuring the organization's IT comply with applicable laws, regulations, and internal standards. The position involves strategic planning, governance, risk assessment, regulatory liaison, and operational support. The specialist will work closely with cross-functional teams to identify, assess, and mitigate IT and cybersecurity risks while supporting compliance initiatives and regulatory engagements.
Job description
- Monitoring and interpreting changes in IT/Cybersecurity laws, regulations, and international standards to ensure ongoing compliance.
- Reviewing and updating internal policies and minimum standards to align with regulatory requirements and industry best practices.
- Communicating regulatory updates to relevant business units, outlining potential impacts and ensuring timely implementation of required actions.
- Collaborating with business units in the annual review of policies, procedures, and products to maintain compliance and operational integrity.
- Coordinating quarterly meetings and reporting for the IT Non-Financial Risk Committee (IT NFRC), including readiness preparation and stakeholder engagement.
- Participating in Risk and Control Self-Assessment (RCSA) and Control Framework (CF) workshops to:
1.Provide expert insights on Information Risk Policy and related standards.
2.Share perspectives on IT and cyber risks, as well as system control measure.
3.Constructively challenge first line-of-defense functions on risk identification and
remediation strategies.
- Reviewing and updating Information Risk Policy and associated standards as assigned by senior leadership.
- Supporting Compliance, Internal/External Audit, and regulatory bodies by providing accurate and timely information.
- Conducting Quality Assurance (QA) reviews on completed Key Control Testing (KCT) activities within Business Operational Risk Management.
- Maintaining and enhancing cyber risk awareness training content on the organization's e-learning platform.
- Participating in annual Business Continuity and IT Disaster Recovery exercises to strengthen organizational resilience.
- Executing special assignments as delegated by Head of Technology Risk and Compliance.
Qualifications
- Master's or bachelor's degree in computer related or equivalent fields
- 5 years of professional experienced in Information Security related fields
- and 3-5 years of working experience in the banking or financial services industry.
- Knowledge and skills in the areas of IT governance, IT / cyber risk, and information systems control
- Knowledge and skills in the areas of system development life cycle,
- Good knowledge and understanding in IT and/or Cybersecurity related laws and regulations such as BOT's IT Risk Management Implementation, BOT's Cyber Resilience Assessment Framework (CRAF), Computer Crime Act, Personal Data Protection Act (PDPA), etc.
- Good knowledge and understanding in international standards such as NIST 800-53, ISO 27000 series, ISO 22301, PCI DSS, COBIT, ITIL, etc.
- Certified Information Security Manager (CISM), Certified in Risk and Information System Control (CRISC), Certified Information Systems Auditor (CISA) or Certified Information System Security Professional (CISSP) is an advantage
- Good English communication skills, consulting skills.
4 regulators :
- . (BOT)
- ... (SEC)
- . (NCSA)
- . (ETDA)
