Description

At Moody's, we unite the brightest minds to turn today's risks into tomorrow's opportunities. We do this by striving to create an inclusive environment where everyone feels welcome to be who they are-with the freedom to exchange ideas, think innovatively, and listen to each other and customers in meaningful ways.
If you are excited about this opportunity but do not meet every single requirement, please apply! You still may be a great fit for this role or other open roles. We are seeking candidates who model our values: invest in every relationship, lead with curiosity, champion diverse perspectives, turn inputs into actions, and uphold trust through integrity.
Skills and Competencies:

• Excellent verbal and written communication skills. Ability to handle negotiations and difficult conversations.
• Organized, attentive to detail, and able to prioritize and meet deadlines.
• Strong analytical, problem-solving, collaboration, and project management skills.
• Knowledge of IT and cyber controls and frameworks (SOC 1 and SOC 2, C5, NIST, ISO 27001, COBIT).
• 8 to 10 years' experience in IT audit, enterprise risk management, information security, or vendor risk management.
• Familiarity with software development practices and enterprise technology operations, particularly in public cloud environments.
• Proficient with Microsoft Office applications; familiarity with GRC platforms.
• CISA, CRISC, CISSP, PMP certification or equivalent experience.

Education

• Minimum Bachelor's degree in Engineering or related major from top institutions, Master's degree is a plus.

Responsibilities This role will support our risk management and compliance efforts, with a primary focus on assisting in managing SOC1/SOC2/C5, ISO audits, and customer audits of Insurance BU's software products and services. This role will also support technology and cyber risk assessments and monitoring risk remediation activities. Responsibilities include:

• Assist in SOC1/SOC2/C5 Audits: Collaborate with product teams to assist in the preparation, coordination, and execution of SOC1, SOC2 and C5 audits. This includes gathering relevant documentation, conducting internal assessments, and liaising with external auditors.
• Support ISO Audits: Assist in the management of ISO audits by helping to maintain compliance with ISO standards (e.g., ISO 27001). Contribute to the development and maintenance of policies, procedures, and controls in alignment with ISO requirements.
• Perform Technology and Cyber Risk Assessments: Perform internal technology and cyber risk assessments of products and services. Identify vulnerabilities, threats, and potential risks to our products and services. Work with product, technology and cybersecurity teams to mitigate identified risks.
• Risk Remediation Monitoring: Monitor and track the progress of risk remediation activities. Collaborate with stakeholders to ensure timely and effective remediation of identified risks and issues.
• Third-Party & Vendor Risk Management: Conduct due diligence assessments of vendors, review their security posture, and track risk remediation efforts. Integrate vendor risks into overall ERM reporting.
• Vulnerability Management: Oversee vulnerability identification, assessment, prioritization, and remediation efforts, working closely with engineering and operations teams. Establish and track key metrics to measure reduction of vulnerabilities and residual risk.
• Application security/product security: Lead the strategy and execution of application security risk management, ensuring security is embedded across the SDLC.
  Documentation and Reporting: Maintain accurate and up-to-date records of audit activities, findings, and remediation efforts. Assist in the preparation of audit reports and documentation for internal and external stakeholders.
• Compliance Monitoring: Support ongoing compliance efforts by monitoring adherence to policies, procedures, and regulatory requirements. Collaborate with teams across the organization to identify areas of improvement and assist in implementing necessary changes. Support efforts to automate and improve monitoring efficiency and coverage.
• Training and Awareness: Participate in training sessions related to risk management, compliance, and audit processes. Assist in raising awareness of compliance requirements within the organization.

About the team Risk management team within Insurance BU group oversees Insurance BU risk management framework and implements its risk management activities, with the objectives of safeguarding sensitive business data, protecting data privacy, addressing information security threats, ensuring legal and regulatory compliance, meeting customer requirements for controls assurance, and promoting risk awareness. The team collaborates with lines of business across MA risk management team and Moody's Shared Services to reduce risk to acceptable levels while enabling business priorities.
Moody's is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability, protected veteran status, sexual orientation, gender expression, gender identity or any other characteristic protected by law.

Candidates for Moody's Corporation may be asked to disclose securities holdings pursuant to Moody's Policy for Securities Trading and the requirements of the position. Employment is contingent upon compliance with the Policy, including remediation of positions in those holdings as necessary.