Key Accountabilities
- Reporting to the General Manager of Risk Management and managing a team of technology risk management professionals;
- Executing and refining the monitoring framework and mechanism in respect of information security and technology risk, which extends to physical data / information security and technology risk management for managing the eMPF platform (the Platform) which is developed, administered and operated by a third party delivery partner (the “Delivery Partner”);
- Executing and refining the governance framework of information security and technology risk management to ensure adherence to relevant regulatory requirements and best practices for benchmarking the Delivery Partner’s deliverables;
- Ensuring policies and procedures are properly enforced and monitored in actual practice to achieve relevant governance goals;
- Working closely with the Delivery Partner to review and approve deliverables, including but not limited to the completeness and reasonableness of the detailed work submitted by the Delivery Partner comparing with market practice, e.g. maintenance of a fit and proper technology risk management framework, up-to-date security measures for detecting, preventing, managing and monitoring attempted cyber intrusions or financial crimes against the Platform, tools for reporting and monitoring issues, incidents and risks, and promote information and technology security awareness across all relevant personnel supporting the Platform etc., and all other aspects relevant to information security and technology risk management and assurance applicable to the Platform;
- Establishing and providing oversight on information security and technology risk related work by the Delivery Partner, including but not limited to working with the Delivery Partner to develop and refine reporting metric (such as performance indicators and risk indicators), risk controls assessments, incidents and risk register to record and monitor all potential risks being identified, and ensuring proper monitor and follow up on the identified risks through the implementation of rectification;
- Overseeing the Delivery Partner’s operations and management of information security and technology risk management related initiatives;
- Ensure proper response and handling, escalation and reporting of system security incidents;
- Keeping abreast of development in the market by conducting ongoing research, developing core knowledge of industry best practices for information security and technology risk management and assurance;
- Ensuring the implementation of initiatives adhere to strategic architecture, governance model and up to market standards;
- Overseeing the security risk assessments, red team security tests, and compliance assessments on information security and technology risk; and
- Providing regular and ad hoc reporting to management on work progress and potential issues. For issues handling, collaborating with the Delivery Partner, Risk Management Team, Digital & IT Team, Data Assurance Team and other relevant teams, as appropriate, on root cause analysis as well as review and monitoring of remediation plans and implementation.
Skills and Qualification
- Degree holder in Computer Science / Information Security or related disciplines;
- Minimum 12 years of relevant experience in multiple areas including technology risk, information security, cyber security, regulatory compliance in a financial services and/or public sector environment with 4+ years at managerial level (applicants with less experience will be considered for the post of Senior Manager);
- Minimum 2+ years’ experience in leading a team of information security / technology risk professionals to accomplish information security / technology risk management;
- Relevant technology management and IT audit qualifications, e.g. CISM, CISSP, CISA, CRISC or equivalent;
- Extensive knowledge on information security and technology risk management principles and best practices;
- Hands-on experience in configuring security devices, SIEM monitoring, penetration test, red team security test, risk controls implementation is preferred;
- Good knowledge of PDPO, ISO 27001 and general compliance as well as infrastructure and applications;
- Experience in communicating technology risks to senior management on both technical and non-technical aspects;
- Proactive, responsible, strong sense of work ownership, good problem solving, communication and interpersonal skills, good vendor management skills, independent and yet a good team player with strong market sense and analytical thinking;
- Good command of both spoken and written Chinese and English; and
- Keen and willing to work with all the flexibility that requires and level of change involved.
Remuneration Package
Rank and salary will be commensurate with qualification and experience. The initial appointment will be made on a fixed-term contract. A competitive remuneration and benefits package including discretionary performance-linked variable pay, annual leave, medical, dental and life insurance coverage, and MPF will be offered.
To Apply
Interested candidates are invited to apply via our online application. The closing date for application is 22 September 2025. Applicants not contacted for follow-up within 3 months after the closing date for application may assume that their applications are not successful. Applications not selected for further processing may be considered for other relevant openings in the future but their applications will not be retained for more than a period of two years after the closing date.
The information provided will be kept confidential and only be used for those purposes relating to your application. Please visit our website for the details of the MPFA’s Personal Information Collection Statement at https://www.mpfa.org.hk/en/mpfa/joining-mpfa/job-vacancies/personal-information-collection-statement. The MPFA and its subsidiary are equal opportunities employers and welcome applications from all qualified candidates.
