Team Profile: Technology Risk’s (Tech Risk) mandate is to enable the Firm to manage its technology related risks. The department executes the first line of defense technology risk management capabilities and implements proactive, comprehensive and consistent risk management practices across the Firm. Tech Risk protects the Firm’s information, systems and infrastructure from cyber and insider threats; ensures the secure and stable delivery of services to our clients; and adjusts to risks presented by an evolving threat landscape. The department delivers a range of operational capabilities, as well as suite of advanced detection, monitoring and analytics, and also provides expert advice on secure design and development and control effectiveness. Tech Risk manages responses to regulatory and client inquiries about the Firm’s technology environment and ensures Technology divisions meet governance and oversight obligations along all lines of defense, driving material and measurable risk reduction. Tech Risk maintains strategic relationships with external entities, both public and private, to facilitate information sharing and innovation in financial services, technology and government, and is also responsible for building risk education and security awareness programs to increase vigilance across the Firm.
Technology/Role/Department at Morgan Stanley
Technology and Operations Risk’s (TOR) mission is to deliver first-line defenses to manage Cyber and Fraud risks to Morgan Stanley’s technology, operations and information through risk identification, control management and assurance. This allows the business to operate and grow in a secure and legally-compliant manner. The team’s vision is to deliver programs that protect and enable the business, ensure secure delivery of services to clients, adjust to address the risks presented by an evolving threat landscape and meet regulatory expectations. The role is within the Technology Access Management (TAM) integration team of TOR. This team is responsible for integrating new platforms (databases, Kubernetes, dev tools, web infrastructure) with the firm’s Role Based Access Control (RBAC) model. As a result of this integration, platforms within the firm can comply with audit/ regulatory requirements like segregation of duties, access reviews, change management rules and requirements.
We are looking for a Senior Security Professional? Access Management to support the TAM team in evaluating new cloud products that are bought or built by the firm and integrate them with the firm’s RBAC model. The role is expected to reduce risk for our business with an emphasis on improving access controls across our infrastructure. The successful candidate will be part of a team responsible for enabling TAM controls to support highly scalable and comprehensive firm cloud infrastructure (Azure, AWS, etc.). As part of the TAM team, you will be required to understand how authorization works for multiple infrastructure platforms and ensure that each platform’s authorization is consistent across the TAM ecosystem. You will also assist in improving the TAM service as the firm’s tech strategy evolves to support initiatives like public cloud enablement and DevOps automation, while keeping the principle of least privilege in mind.
Collaborate with internal stakeholders to onboard platforms onto our role based access control (RBAC) solution- Integrate RBAC solutions native to Morgan Stanley environment across multiple public cloud providers including but not limited to Azure and AWS- Staging, testing and deployment of new RBAC integrations, legacy integration enhancements and integration reconfigurations following our SLDC process- Participate in continual process improvement activities to support our internal customers better with every integration- Interact and field requests from audit and other governance functions- Create and maintain detailed documentation and knowledge base articles.
Bachelor’s Degree in Computer Science/Engineering, Information security or similar- More than 5 + years of work experience in a similar role- Experience working with moderate to large scale enterprise architectures- Knowledge of IAM fundamentals (Authentication, authorization, principle of least privilege, etc)- Experience with a declarative programming language like Prolog or a scripting language like Perl, PowerShell, Python- Savvy troubleshooting skills on a variety of different technologies (web, infrastructure, OS, application)- An understanding of access control models like Role-based access control and Rule-based access control- Ability to manage multiple tasks and deliverables simultaneously and in an organized and results-oriented manner- Excellent people skills since this position interacts with all levels of resources across the organization
Industry certifications (i.e. CISSP, CISM). Understanding of IAM cloud platforms such as those offered by Azure, AWS, GCP, etc- Experience working with CI/CD tools and overall understanding of DevOps- Prior experience in writing code in Prolog