Cybersecurity Policy Lead Analyst, Citi

Citi

Location:
Costa Rica, Heredia

Category:
IT - Administration

Contract Type:
Employment contract

Salary:

Not provided

Save Job

Apply Position

Job Description:

The Cyber Policy Governance & Consequence Management Team is a centralized team responsible for overseeing the cybersecurity policy process that provide management and operational controls to reduce risk and achieve regulatory compliance. The team helps cybersecurity program owners to align policy requirements with industry frameworks and regulatory expectations and manages the cybersecurity policy document workflow through iterative drafts, working group reviews, and governing body approvals. Additionally, consequence management plays a critical role in the risk reduction of potential CIA principles compromise by collaborating with investigative functions, HR, & legal in supporting the enterprise disciplinary framework.

Job Responsibility:

Supports the strategy for anchoring our standards in a modern control framework, aligning requirements to Citi’s cybersecurity risk tolerance, and establishing compliance monitoring as well as consequences for noncompliance
oversees the cybersecurity policy process and ensures policy owners adhere to the enterprise policies
closes gaps in control coverage, defines clear, measurable, and prescriptive requirements, and aligns with Citi’s global technology and risk management policy and standard requirements, as well as Citi’s global policy governance processes
establishes and maintains strong connections across the Cybersecurity organization and makes recommendations to senior leadership regarding policy and control enhancements
assesses information security investigation reports for accuracy, completeness, and fairness of an investigation prior to issuing disciplinary actions
identifies gaps and challenges any statements or conclusions that lack clear evidentiary backing for violations against information security policies
articulates the rationale and supporting evidence for disciplinary actions to senior management.

Requirements:

6-10 years of relevant experience in the Information Security field
policy writing expertise, with the ability to present information clearly and concisely to a wide breadth of stakeholders/senior management
risk management experience, including regulatory assessments, audit interaction, and enterprise control frameworks
knowledge of industry control frameworks (e.g., CRI Profile, FFIEC CAT, NIST)
understanding of how investigations are conducted, including evidence collection, interview techniques, chain of custody, and forensic analysis - preferred
understanding of organizational risks and how investigations contribute to mitigating them
ability to meticulously examine documents, data, and statements for subtle discrepancies, omissions, or inconsistencies
excellent written and verbal communication skills
highly organized and capable of overseeing numerous endeavors
excels at orchestrating complex, multi-faceted projects
ability to motivate and manage by influence
self-starter who requires minimal supervision
results-oriented, high-energy, self-motivated
technical skills (e.g., system and network security, application security) preferred
English proficiency required.

Nice to have:

understanding of how investigations are conducted, including evidence collection, interview techniques, chain of custody, and forensic analysis
technical skills (e.g., system and network security, application security)
relevant certification (e.g., CISA, CISSP, CISM)
Master’s degree.

Additional Information:

Job Posted:
August 29, 2025

Employment Type:

Fulltime

Work Type:

On-site work

View All Jobs In This Company

Job Link Share:

Cybersecurity Policy Lead Analyst