TR-Senior (Kolkata, WB, IN, 700091)

EY is seeking a Senior Technology Risk professional to join its Cyber COE group in Kolkata, West Bengal, India. This role offers a significant opportunity to contribute technically to IT Risk and Assurance client engagements and internal projects, playing a key part in the growth of a new service offering within a leading firm.

The ideal candidate will possess a strong understanding of Identity and Access Management (IAM) principles, frameworks, and best practices, coupled with robust consulting and advisory skills to address client needs. Hands-on experience with Privileged Access Management (PAM) tools and strategies, including implementation, is essential. Expertise in identity lifecycle management processes (provisioning, de-provisioning, role management) and analyzing security risks related to identity and access are also required.

Key competencies include knowledge of role-based access control (RBAC), multi-factor authentication (MFA), and single sign-on (SSO) implementations. The role involves participation in security compliance projects related to IAM, leading workshops, and collaborating with IT teams on IAM and PAM solutions. Responsibilities also extend to ISO 27001 Information Security Management System implementation and sustenance, assessing client information security postures, identifying risks, and developing mitigation strategies.

Further responsibilities include reviewing and implementing information security controls across various domains such as Change Management, Incident Management, Backup, User Identity and Access Management, Antivirus Management, SLA performance, Media Handling, Physical and Environmental Security, and Information Handling. The role also entails conducting vendor risk assessments, advising on information classification frameworks, and performing information systems audits covering IT infrastructure assets. Serving as a technical lead on security and privacy implementation projects, including design, build, testing, and deployment, is also a core function.

Technical knowledge in areas such as CSPM, EDR, SIEM/SOAR, and Vulnerability Management is a plus. A solid understanding of cybersecurity concepts (Vulnerability Management, Identity Management, Risk Management) and the ability to translate data into actionable metrics to improve cyber security posture are important. The role requires effective communication with senior stakeholders like CISOs and CIOs.

Experience in conducting information security assessments, including business continuity plan audits, network security audits, GenAI audits, and infrastructure audits, is expected. Familiarity with NIST assessments, ISO assessments, privacy impact audits, Data Privacy and GDPR implementation, Data inventory development, and Third-Party Risk Assessment is also valuable. Proficiency with IT industry frameworks such as ISO27001, ISO42001, NIST, PCI-DSS, TISAX, DSA/DMA, GDPR, NIS2, and HITRUST is required.

Key responsibilities involve testing and supervising the delivery of assigned controls, including ITGC, ITAC, ISO27001 & NIST assessments, Privacy Assessments, Cyber Maturity Assessments, IT Policies and Standards Assessments, SDLC, System Architecture, Operating Systems, Databases, Networks, Security Systems, Cloud Services, Asset Inventories, Incident Management, and Recovery Management. Collaboration with control owners and stakeholders to ensure successful reviews, minimizing contention, and managing escalations is crucial.

Candidates should apply judgment and risk management concepts to identify findings and provide insights for process improvement and risk management. Reviewing IT policies and standards to ensure alignment with industry standards and staying current with cybersecurity regulations are also key aspects of the role.

To qualify, candidates must have a Graduate degree (CS/IT, Electronics, Electronics & Telecommunications) or MBA/M.Sc. with 4-7 years of experience. Industry certifications such as CISSP, CISM, CRISC, or CISA are a strong plus. Significant experience in at least one of the following is required: ISO assessments, NIST assessments, Data privacy audits, Network and Infrastructure audits, Cyber Maturity Assessment, IT Policies and Standards Assessment, IAM and IT Asset Management, IT Health Check, BCP/DR audit, or Application security audits.

EY offers a dynamic environment with opportunities to work with global Assurance practices and leading businesses. The firm emphasizes commercial acumen, technical experience, and a passion for learning. EY provides support, coaching, and feedback, along with opportunities for skill development and career progression, enabling individuals to grow into responsible roles with challenging assignments within an interdisciplinary environment focused on high quality and knowledge exchange.