Booking.com follows a defense in depth strategy for managing its risks. As part of this strategy, Booking has 3 departments focussing on each line of defense. Global Internal Audit (GIA) is responsible for the 3rd line of defense, Risk and Controls (R&C) is responsible for the 2nd line of defense, while the responsibility of 1st line has been distributed between process/control owners and the Trust, Risk, Assurance and Compliance (TRAC) team. TRAC is the first-line of defense risk team responsible for Central Tech business unit risks & Security risks across the company.

The role is focused on leading the identification and reporting of first-line technical risks including, but not limited to: IT, cybersecurity,fraud , trust & safety and any regulatory compliance risks impacting our technology. This role requires engaging with various first-line stakeholders to track and monitor appropriate risk responses, and reporting on our IT controls framework.

The IT Risk & Compliance Officer is responsible for partnering with risk owners throughout the Tech business function and other business units to design and maintain governance processes, operating models and set up GRC tooling that reflects our risk appetite and to maintain the quality of our processes. The role requires to work closely with stakeholders from multiple departments and to have a strong big picture focus, but be able to zoom in and out of the details to ensure full process understanding.

This individual contributor develops into a subject matter expert leveraging an understanding of the enterprise risk discipline combining knowledge of theory and organizational practice or expertise across one or more different disciplines within security function (e.g. cybersecurity, privacy, fraud, trust & safety, corporate security, business continuity, IT disaster recovery) and industry frameworks such as NIST, PCI-DSS, SOX, and SWIFT CSF. This role requires practical knowledge of IT and cybersecurity controls to agree on mitigation plans for technology-related risks across the organization.

Responsibilities and skills required for the IT Risk Officer role in Risk Governance focus on upkeep of internal controls spanning the technology landscape, aligning with the organization's risk appetite and ensuring process quality within operational risk governance processes such as maintaining cyber risk register, security exceptions, audit issue remediation status. Daily activities involve working with engineering teams on audit issue resolution, validating remediation plans, and conducting re-testing and peer reviews.

The IT Risk & Compliance Officer role requires solid stakeholder management skills, and to be comfortable with challenging risk owners to come up with robust, scalable solutions which mitigate key risks while enabling successful business operations.

Tasks and responsibilities within Risk Governance Capability Area:

• 
  Build and manage controls framework based on NIST CSF, SOX, PCI-DSS

• Collaborate with control owners to deliberate and get alignment on control requirements.

• Work with senior stakeholders across various departments and business units to seek their alignment on the approach and methodology for NIST CSF based Cyber Maturity assessment lifecycle.

• Manage end to end Assessment lifecycle stages like framework certification, Kickoff, Pre-assessment chores for internal and external assessment methodologies, managing reporting end to end, both at control owner level and executive level.

• Be the single point of contact for Vendor management required for managing external assessments.

• Triage and track Issues from Observations coming from Security Assurance and Threat assessments to closure as part of Observation and Issue Management(OBSIM) process

• Track and monitor risks from Security Assurance and Operational Audit findings raised by GIA and report to Leadership.

• Process Security exceptions by working with Technology teams for exceptions to Booking.com policies and standards and report risks from the same.

• Manage Policy Governance lifecycle by working with senior stakeholders within and outside Security and Fraud organization in managing Booking.com policies, standards and other documentation.

• Evaluate and provide strong guidance on product or service security issue remediation plans, validate fixes from reduction of risk perspective, perform peer testing on product or application fixes and liaison with Engineering and Technology teams for right level of remediation

• Build and apply knowledge of internal controls, systems and process landscape to enable clear understanding of impact from IT issues and identify risks to be updated in the cyber risk register.

• Liaise with other risk and audit teams (Risk and Controls, Internal Audit, external auditors, Business continuity teams, IT Disaster recovery and Service continuity team etc.) as needed

• Provide inhouse consulting as SME to strategic programs

• Stay flexible to meet the dynamic business needs, while maintaining robust solutions that strengthen the control environment

• Be able to split large tasks into logical, manageable and decoupled actions which are managed effectively and delivered on time.

Type

Available options:

Cooperation

Persuasion

Information

Frequency

Available options:

Continuous (daily or a number of times a day)

Frequent (about once a week)

Occasionally (once or twice a month or less)

Cooperation

Partner with risk owners by providing guidance and support in designing and implementing appropriate controls to strengthen the control environment, mitigate the company risks and support the business in achieving objectives.

Identify control gaps, based on identified risks.

Facilitate and participate in cross functional groups to implement or enhance controls in cross functional processes.

Support risk owners in standardizing & improving process and controls documentation

Support business functions and units in ongoing compliance with SOX, PCI, GDPR and other control areas.

Conduct risk assessments and document the outcome and action plans.

Information

Inform of new IT control implementations for tracking and reporting.

Information

Report the outcome of assessments for risk monitoring and reporting.

Cooperation

Obtain guidance and support for the implementation of IT controls in different regulatory domains.

Cooperation

Support Internal and External audit engagements to ensure that remediation plans are implemented on a timely basis for any deficiencies found.

Support SOX and PCI audit cycles.

Level of Education

Available options:

Not required

Specialized Diploma

Bachelor degree

Master degree

PhD

Years of relevant Job Knowledge

Available options:

Limited Job Knowledge (0 - 1 year)

Basic Job Knowledge (1 - 3 years)

Broad Job Knowledge (3 - 5 years)

Advanced Knowledge (5 - 8 years)

Extensive Knowledge (8 - 12 years)

Substantial Knowledge (12 + years)