RequirementsBachelor’s degree (or equivalent practical experience) in Information Security, Information Systems, Computer Science, or related fieldRelevant certifications such as CISA, CISSP, Security+, PCI ISA, etc5–8 years of experience in 1st Line of Defense control testing, technology audit, risk & compliance, or security engineering with demonstrated ownership of testing/assurance outcomesStrong technical understanding across core security control domainsExperience building and executing test procedures against formal standards/frameworks, including scoping, sampling, and defining evidence requirementsAbility to produce clear, defensible test documentation with strong attention to detail and consistencyExperience in a payment, fintech, bank, or other highly regulated environmentFamiliarity with payment security concepts and frameworks, particularly PCI DSSExperience with GRC platforms (e.g. RSA Archer) and evidence/workflow automationWhat the job involvesCorporate Security is responsible for keeping Mastercard safe and secure from cyber and physical threatsWe are a highly effective team protecting a major component of global payments infrastructureOur Security Risk and Control Operations team is at the forefront of this effort in the “1st Line of Defense,” coordinating efforts across Corporate Security, enterprise risk management, and market-facing product teams to assess risks, implement controls to mitigate them, and provide assurance to regulators and stakeholders of Mastercard’s best-in‑class performance in information securityWe are seeking a Lead Security Control Assessor to execute testing of security controlsYou will perform quality control over documented control processes, shape control testing plans, review submitted evidence, evaluate control strength, and initiate findings of any shortfallsAs a member of an enterprise‑wide risk management community of practice, you will also play a key role in maturing the control testing program through standardization, automation, and reporting that provides management visibility and supports regulatory/customer requirements (e.g., PCI DSS, SOC 1/SOC 2, ISO 27001)Execute control testing (including design and operating effectiveness) across key security control domains such as access management, vulnerability management, logging/monitoring, encryption, incident response, etcEvaluate evidence submitted by operators of security controls, rate effectiveness, and initiate findings as requiredFacilitate remediation of control gaps by partnering with control owners, control operators, and security engineers to clarify requirements, remove blockers, agree on target dates, and elevate overdue or high‑risk gaps through defined governanceIdentify and communicate priorities for security control testing across the business, leveraging relationships with security control owners, knowledge of the risk environment, and awareness of metrics on control performanceParticipate in documentation of control testing procedures and drive enhancements of control testing toolsSupport internal/external assessments and audits by coordinating evidence, leading walkthroughs of control design/testing approach, and addressing inquiries in partnership with compliance and audit teamsNICE Framework references:Mastercard Corporate Security Roles have been aligned with the NICE framework (National Initiative for Cybersecurity Education). For this role the NICE Work Roles most closely aligned are:Security Control Assessment (OG-WRL-012): Responsible for conducting independent comprehensive assessments of management, operational, and technical security controls and control enhancements employed within or inherited by a system to determine their overall effectivenessSystems Testing and Evaluation (DD-WRL-007): Responsible for planning, preparing, and executing system tests, evaluating test results against specifications, and reporting findingsVulnerability Analysis (PD-WRL-007): Responsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense‑in‑depth architecture against known vulnerabilitiesCybersecurity Architect (DD-WRL-001): Responsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architecture, and the resulting systems that protect and support organizational mission and business processesSystems Security Analyst (OM-ANA-001): Helps ensure secure configuration and operational security requirements are implemented and verifiable in production environments
#J-18808-Ljbffr