Associate - Technology Cybersecurity Audit (Internal Audit)

We're seeking someone to join our team as an Associate to work in the technology audit team, within Internal Audit, to manage/execute risk based assurance activities.

The Internal Audit Division (IAD) drives attention and resources to vulnerabilities by providing an independent and well-informed view and impactful messages about the most important risks facing our Firm. This is accomplished by performing a range of assurance activities to independently assess the quality and effectiveness of Morgan Stanley's system of internal control, including risk management and governance systems and processes. IAD serves as an objective and independent function within the Firm's risk management framework to foster continual improvement of risk management processes. This is a Director level position (P3) within Technical Specialist job family, which is responsible for assessing risks and determining and executing coverage of Model Risks

• Execute a wide range of assurance activities (e.g., audits, continuous monitoring, closure verification) with guidance, including which focuses on cybersecurity controls application controls supporting the business processes, including systems development, application security and entitlements, production management, and technology governance(e.g., audits, continuous monitoring, closure verification)
• Understand and adopt new audit tools and techniques
• Develop clear and concise messages regarding risk and business impact within relevant coverage area
• Identify and leverage data to incorporate into analysis of coverage area
• Collaborate with a wide range of internal stakeholders to build effective working relationships and to execute on team deliverables
• Effectively manage multiple deliverables while delivering high-quality work

• Understanding of audit principles, tools and processes (e.g., risk assessments, planning, testing, reporting and continuous monitoring)
• Ability to communicate clearly and concisely and adapt messages to audience
• Ability to identify patterns and anomalies in data with guidance
• A commitment to practicing inclusive behaviors
• Willingness to solicit and provide feedback to further develop self and peers
• At least 2 years' relevant experience would generally be expected to find the skills required for this role
• Strong understanding of industry standards such as the NIST Cybersecurity Framework, NIST 800-53, PCI-DSS, CSA, ISO 27001/02, CIS Top 20 Critical Security Controls (formerly SANS), FFIEC guidelines etc.
• Technical knowledge of IT systems, including:

• Databases
• Operating Systems (UNIX, Linux, Windows, z/OS)
• Networking, including VPN, LAN, WAN, WLAN
• Firewalls and associated hardware
• Backup and Recovery system
• Middleware
• Virtualization Technologies
• Data Loss Prevention tools, Intrusion Detection and Intrusion Prevention tools
• Penetration Testing Tools
• Tools such as Splunk, ArcSight, WatchTower
• Good understanding of threats, vulnerabilities, risk, confidentiality, integrity, availability, cryptography, network security, web-based applications architecture and security, network protocols