Citi ISO Sr. Analyst in Mexico

  • Primary Location: Mexico,Distrito Federal

  • Education: Other

  • Job Function: Technology

  • Schedule: Full-time

  • Shift: Day Job

  • Employee Status: Regular

  • Travel Time: Yes, 10 % of the Time

  • Job ID: 16077762


Sr. Information Security Officer


The SR. ISO is responsible for managing risk, providing controls and compliance guidance, and support Business Areas by ensuring compliance with Citi standards, policies, and procedures, liaising with internal and external auditors and coordinating audit responses. The SR. ISO needs to expand the capability to address the increasing numbers of vulnerabilities and security issues found in production application environments and processes. Sr. ISO responsibilities include any special project that is related to IS programs and processes.


  • Manages IS Officer teams for one or more business areas, one or more of which may be complex and may have variable issues with significant impact over areas(s).

  • Manages ISOs and directs ISO activities for all aspects of the IS program

  • Establishes narrow communication with ISOs in the organization to provide direction, advice, and guidance

  • Establishes, maintains and manages an organization of effective Information Security at Banamex and its Affiliates

  • Ensures Information Security is managed as a Business Risk.

  • Participates in and promote within the Mexico Region assigned Information Security initiatives.

  • Develops Specific Regional or Country Information Security Programs when needed.

  • Ensures the efforts of Information Security are consistent across all entities of the Mexico Region.

  • Ensuring that Information Security is managed as a Business Risk. (S041 security model )

Risk Management Responsibilities

  • Applies in-depth understanding of concepts and procedures within the own area and basic knowledge of other areas to resolve issues that have impact beyond the own area.

  • Influences and negotiates with senior leaders across functions. Communicates with external parties as needed.

  • Manages and resolves the most complex and highly variable issues with substantial potential impact.

  • Oversees corporate IS efforts to ensure they are completed.

  • Participates in discussions about strategic solutions for the business.

  • Helps align business needs and objectives with IS program requirements.

  • Ensures essential procedures are followed and provides feedback in defining standards.

  • Periodically reviews metrics to analyze the effectiveness of the IS program in the business.

  • Provides oversight to ensure that processes and projects are completed in a timely manner.

  • Manages IS risk during the development of new products and applications, ensuring that risks are mitigated during the development process; e.g., ID/password, encryption, system configuration, access, and administration

  • Participates in the evaluation and selection of IS applications and systems.

  • Developed communication and diplomacy skills are required to persuade and influence others; may negotiate with external parties.

  • Provide expert advice and analyze information on S041 features, functionalities and operability based on users info queries.

  • Documentation and Administration of system S041 Encryption Keys

  • Overseeing and guaranteeing the S041 Users/Entitlements compliant Report feed to EERS

  • Review and analyze user request for integrating systems, transactions and/or screens to system S041 security model.

Reporting and Governance Responsibilities

  • Analysis and identification of potential non-compliance issues

  • Contribute to ad-hoc requests and projects as required

  • Analysis and identification of potential non-compliance issues (Catalog security model )

  • Contribute to ad-hoc requests and projects as required (Catalog security model )

  • Act as subject matter expert on Application Information Security topics during Audit meetings

  • Identify opportunities for process improvement

  • Participation in Corporate and Regional working groups



  • 5+ years’ experience with all IS programs including, but not limited to, GIDA, IAM, Data Protection, Incident Management, Vulnerability Assessment; and Internal Control areas such as CoB, ORM, MCA, RM, etc.

  • 3-4 years’ experience of People Management

  • Experience working across lines of business.

  • Working knowledge of IS regulatory issues as well as company products and services

  • Deep knowledge of Information Security / Risk and Controls

  • University degree is desirable in a technical or administrative career, it could be replaced by 3-5 years of experience

  • Professional certification, such as CISSP, CISM , CISA or willingness to obtain certification within 12-18 months of start date

  • Exhibit strong influencing / negotiation skills as well as written/verbal communication skills.

  • English 80%.