IT Risk and Compliance Officer

Role Description: About Us Booking Holdings India is a Center of Excellence based in Bangalore, India and was created to support the increasing business demands of the Booking Holdings Brands. The Center of Excellence provides access to specialized and highly skilled talent, leading industry best practices, and collaboration opportunities across all of our Brands. As part of our Booking Holdings India team, you will have the opportunity to be a part of the world’s leading provider of online travel, with a mission of making it easier for everyone to experience the world through six-primary consumer facing brands: Booking.com, Priceline, Agoda, KAYAK, OpenTable and Rentalcars.com. Job Summary : Booking.com follows a defense in depth strategy for managing its risks. As part of this strategy, Booking has 3 departments focussing on each line of defense. Global Internal Audit (GIA) is responsible for the 3rd line of defense, Risk and Controls (R&C) is responsible for the 2nd line of defense, while the responsibility of 1st line has been distributed between process/control owners and the Trust, Risk, Assurance and Compliance (TRAC) team. TRAC is the first-line of defense risk team responsible for Central Tech business unit risks & Security risks across the company. The role is focused on leading the identification and reporting of first-line technical risks including, but not limited to: IT, cybersecurity,fraud , trust & safety and any regulatory compliance risks impacting our technology. This role requires engaging with various first-line stakeholders to track and monitor appropriate risk responses, and reporting on our IT controls framework. The IT Risk & Compliance Officer is responsible for partnering with risk owners throughout the Tech business function and other business units to design and maintain governance processes, operating models and set up GRC tooling that reflects our risk appetite and to maintain the quality of our processes. The role requires to work closely with stakeholders from multiple departments and to have a strong big picture focus, but be able to zoom in and out of the details to ensure full process understanding. This individual contributor develops into a subject matter expert leveraging an understanding of the enterprise risk discipline combining knowledge of theory and organizational practice or expertise across one or more different disciplines within security function (e.g. cybersecurity, privacy, fraud, trust & safety, corporate security, business continuity, IT disaster recovery) and industry frameworks such as NIST, PCI-DSS, SOX, and SWIFT CSF. This role requires practical knowledge of IT and cybersecurity controls to agree on mitigation plans for technology-related risks across the organization. Responsibilities and skills required for the IT Risk Officer role in Risk Governance focus on upkeep of internal controls spanning the technology landscape, aligning with the organization's risk appetite and ensuring process quality within operational risk governance processes such as maintaining cyber risk register, security exceptions, audit issue remediation status. Daily activities involve working with engineering teams on audit issue resolution, validating remediation plans, and conducting re-testing and peer reviews. The IT Risk & Compliance Officer role requires solid stakeholder management skills, and to be comfortable with challenging risk owners to come up with robust, scalable solutions which mitigate key risks while enabling successful business operations. Responsibilities : - Tasks and responsibilities within Risk Governance Capability Area: - Lead and own GRC operations like managing Risk Register, Risk/Issue triage, Risk monitoring and monthly updates, Risk Acceptances & Exceptions. - Triage and track Issues from Observations coming from Security Assurance and Threat assessments to closure as part of Observation and Issue Management(OBSIM) process - Track and monitor risks from Security Assurance and Operational Audit findings raised by GIA and report to Leadership. - Process Security exceptions by working with Technology teams for exceptions to Booking.com policies and standards and report risks from the same. - Build and manage controls framework based on NIST CSF, SOX, PCI-DSS - Collaborate with control owners to deliberate and get alignment on control requirements. - Work with senior stakeholders across various departments and business units to seek their alignment on the approach and methodology for NIST CSF based Cyber Maturity assessment lifecycle. - Manage end to end Assessment lifecycle stages like framework certification, Kickoff, Pre-assessment chores for internal and external assessment methodologies, managing reporting end to end, both at control owner level and executive level. - Evaluate and provide strong guidance on product or service security issue remediation plans, validate fixes from reduction of risk perspective, perform peer testing on product or application fixes and liaison with Engineering and Technology teams for right level of remediation - Build and apply knowledge of internal controls, systems and process landscape to enable clear understanding of impact from IT issues and identify risks to be updated in the cyber risk register. - Provide inhouse consulting as SME to strategic programs - Stay flexible to meet the dynamic business needs, while maintaining robust solutions that strengthen the control environment - Be able to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time. - At least 5-7 years of relevant experience in GRC processes is mandatory. Candidates from product firms are preferred. Qualifications : - Work experience in business analysis, auditing, corporate governance, risk management or internal controls - Knowledge of control frameworks such as NIST , PCI-DSS, SOX, SWIFT etc. - Hands on experience in risk operational processes - Ability to develop solid relationships with business partners in order to drive the adoption of the risk management culture. - Hands on experience with large e-commerce or tech companies preferable, especially within the first-line of defense - Strong knowledge and work experience in Technology Risk domains (Cybersecurity, Privacy, Third party, Fraud, Trust & Safety) - Thorough technical understanding of internal control requirements and design and experience in applying them in various businesses - Able to translate regulatory and risk-related functional and technical requirements for engineering teams to develop secure products, services and solutions. - Able to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time. - Be flexible and agile in response to the change in business, change in stakeholder expectations and/or change in regulatory/operating environment of B.com. - Strong independent contributor, while still a strong team player - Previous experience in software development, software engineering is a plus - Strong communication skills; fully comfortable working in English, both written and spoken