GRC Application Security Specialist (Contract)

Location: MAS: MAS Building

Time Type: Full time

Job Description

[What the role is]

As a Governance Risk and Compliance Specialist & Application Security Engineer, this role is crucial in developing and maintaining a robust culture of technology and cybersecurity risk governance across our organization.

The ideal candidate will have at least 5 years of relevant experience in ICT cybersecurity, data security, audit management, governance, and risk compliance management. He or She will be responsible for providing expert advice on cyber security requirements, reviewing and establishing ICT policies, and supporting various aspects of our tech governance framework.

Putting on the Application Security hat, he or she will also be responsible for identifying, assessing, and mitigating security vulnerabilities in software applications. They work closely with development teams to integrate security practices into the software development lifecycle (SDLC) and help ensure that applications are secure and compliant with relevant standards and regulations.

This role offers an opportunity to make a significant impact on our organization's ICT risk management and governance practices. The successful candidate will work with cross-functional teams for maintaining the highest standards of cybersecurity and ICT compliance.

[What you will be working on]

Governance, Risk and Compliance (GRC)

• Develop and promote a culture of technology risk governance and management across the organisation, ensuring proper accountability in managing, tracking, and reporting technology and cyber risks

• Provide subject matter expertise to internal stakeholders on cybersecurity requirements, including compliance with MAS internal policies and standards, as well as policies from GovTech and Cyber Security Agency of Singapore

• Review and establish ICT policies and process controls, conducting regular compliance checks to ensure adherence • Track and monitor technology projects and initiatives to meet compliance requirements, including Key Risk Indicators and Control Self-Assessment as part of the technology governance framework

• Monitor incident reporting processes, reviewing and reporting on corrective measures and improvement areas

• Participate in consultations and conduct gap analysis against new or revised regulatory requirements • Assess and seek waiver approvals for deviations and develop risk treatment strategies

• Organise risk forums and monitor action plans, coordinate and facilitate IT and cybersecurity audits

• Track remediation plans to address audit findings and follow up on remediation actions with stakeholders, project managers, and application managers

Application Security

• Establish clear guidelines and best practices for secure coding, vulnerability management, and incident response across development teams

• Serve as Subject Matter Expert in application security for enterprise projects during development phases, providing information security consulting and recommendations

• Discover security vulnerabilities and devise mitigation strategies, reporting and resolving technical debt effectively • Track and address security issues with timely remediation and patching processes

• Integrate security tools and processes into DevOps pipelines, automating security scans and tests

• Collaborate with developers and software teams to ensure security integration at every stage of software development

• Work with development teams to remediate application security vulnerabilities and prevent future incidents

• Implement and promote secure coding practices throughout the organisation

Strategic and Operational Excellence

• Recommend re-engineering and streamlining of processes to enhance control effectiveness

• Present management reporting to stakeholders with data analysis, trend identification, and strategic recommendations

• Enhance training materials and documentation in ICT risk management, developing case studies and best practices • Stay updated on latest security threats, trends, and emerging technologies

• Identify opportunities for incorporating AI assistant tools into development processes and analyse efficacy of potential use cases

This integrated role ensures comprehensive security coverage from governance oversight through to technical implementation, creating a robust security posture across the organisation's technology landscape.

[What we are looking for]

• At least 5 years relevant experience in ICT cybersecurity, data security, audit management, governance, risk and compliance management,  security engineer or security architect role

• Relevant certifications in IT governance, IT audit, cyber or data security (e.g. CISSP, CISM, CISA, etc.) preferred.

• Ability to work with cross-functional, multi-disciplined team to operationalise monitor security policies and procedures.

• Knowledge of Instruction Manual 8 and CSA Cybersecurity Code of Practice preferred.

• Technical knowledge of security vulnerabilities, validation of remediations and risk assessments.

• Experience in performing penetration testing, secure code review, static, dynamic and manual source code review.

• Experience in identifying and remediating common web application vulnerabilities such as OWASP Top 10

• Hands-on experience with Web Application Scanning Tools

• Proven experience in secure coding practices, vulnerability assessment, and penetration testing

• Relevant experience in data visualisation and analytics.

     

      Skillset:

• Strong analytical, reasoning and problem-solving skills. 

• Meticulous with an eye for detail.

• Good oral and written communication skills

• Ability to work independently and assume responsibility for project deliverables.

• Team player who is proactive and collaborative 

• Experience in reporting and dashboard using JIRA is preferred.

As part of the shortlisting process for this role, you may be required to complete a medical declaration and/or undergo further assessment.

This is a 2-Year Contract. All applicants will be notified on whether they are shortlisted or not within 4 weeks of the closing date of this job posting.