This role is a member of the Trading and Supply Risk and Compliance team (also referred to as Controls team) covering all Trading & Supply SOM portfolios with focus on SOX and is responsible for advisory and assurance of T&S controls framework, coordination of internal and external/SOX audit responses, ensuring supplier operations meet the evidence requirements of the IT general controls (includes Legal & Regulatory), and onboarding of new controls as requirements for new applications/projects per IRM guidance.
You will be an integral part of IT Operations and accountable for proactively managing IT security, IT compliance, and related risks across Shell Trading and Supply IDT to ensure businesses receive operational services and products in a secure manner in line with our IT Control Framework as well as IRM strategies, policies, and processes.
The role is both visible and influential. As Security & Controls Advisor you will improve the IT controls landscape, drive/monitor remediation activities to mitigate significant risks to the Trading and Supply business, and champion standardization and automation of controls as the future state of our assurance cycles.
You will provide subject matter expert support, guidance and leadership on information risk management, IT Controls, application security, and assurance matters. With those activities, you will work closely together with Landscape Managers who are end-to-end accountable for IT operations for a specific domain and you will be coaching their teams to understand their accountabilities in keeping Shell Trading and Supply secure.
Your remit also includes providing insight and visibility of IT General Controls status (ITGCs) and related risks – you’ll be a key interface for ITGCs between your IT colleagues and IRM. Technical security aspects, e.g. follow up on threats and vulnerabilities as detected by our global Cyber Defense Team, are also part of your role.
- Ensure regulatory and compliance controls are embedded in landscape operations and assist with timely evidence collection and readiness for audit purposes.
- Performs quality assurance reviews of control execution by the managed services.
- Works closely with IRM to understand requirements of the controls and ensure new controls are designed and implemented appropriately across the organization.
- Coordinate responses for internal and external/SOX audits.
- Ensures all findings actioned on a timely basis and, where possible, remediated according to plan.
- Establish, build, and enhance the skill set of Control Owners and Operators within the IT portfolio.
- Manage/support leadership dashboards for controls and findings status.
Dimensions and Special Challenges
- No direct reports, but motivates, instructs, and drives indirect reports in Managed Service teams operating our controls.
- Role works across all T&S portfolios with 100+ registered controls.
- Virtual working in a global environment with culturally diverse teams. Managing multiple delivery priorities and multiple demand requests. Working with multiple stakeholders in various organizations.
- Risks – License to Operate, Global reputation, $100’s of millions at risk.
Qualifications and Skills
- Typical Years of Experience: 5 to 8 years in IT
- Minimum Education or Certification: 4-year Degree related to IT, Information Security, Information Risk Management).
- Experience in IT Risk Management.
- Proven knowledge of SOX and IT controls and frameworks (e.g. ISO 27001, Cobit, COSO, ISO).
- Exposure to IT Audit (both internal and external).
- Exposure to IT Operations and ITIL processes.
- You know your way around external IT security standards, such as COSO, ISO 27001 plus related legal compliance aspects, such as privacy.
- Must have very strong verbal and written communication skills.
- Strong stakeholder, interpersonal relationship, and negotiation skills.
- Proven ability to deliver results in a matrix organization driving delivery excellence through influence and team working.
- Ability to handle concurrent tasks with appropriate priority.
- Ability to operate in a virtual cross-cultural organization.
- Ability to deal with conflict and ambiguity effectively.
- Understanding of the IT business technical environment (includes databases, application servers) will be considered as advantageous
- Industry recognized certification and/or security or audit related qualification (i.e. ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISA, CISSP, CISM, CIA)
- Proven experience in performing internal audits on IT systems, infrastructure and IT Security at the system or application level.
- Experience in IT Services Management
- Technical knowledge and experience with database platforms; Oracle, Sybase, Microsoft SQL
- Technical knowledge and experience with cloud platforms; Microsoft Azure, Amazon Web Services
- Strong relationship skills to work with multiple stakeholders across organizational and business boundaries at all levels
To apply for this job please visit jobs.shell.com.