Cybersecurity Control Testing & CRI Maturity Assessor - Manager

Do you want your voice heard and your actions to count?

Discover your opportunity with Mitsubishi UFJ Financial Group (MUFG), one of the world’s leading financial groups. Across the globe, we’re 150,000 colleagues, striving to make a difference for every client, organization, and community we serve. We stand for our values, building long-term relationships, serving society, and fostering shared and sustainable growth for a better world.

With a vision to be the world’s most trusted financial group, it’s part of our culture to put people first, listen to new and diverse ideas and collaborate toward greater innovation, speed and agility. This means investing in talent, technologies, and tools that empower you to own your career.

Join MUFG, where being inspired is expected and making a meaningful impact is rewarded.

Job Summary: This role is a member of the CISO of America’s team within the Cybersecurity GRC function and is responsible for executing independent control testing, control assessments, and validation activities across both on-premises and cloud environments. The role performs CRI Profile maturity assessments, validates key security controls embedded within the SDLC (e.g., secure design, secure configuration, vulnerability management, and change/release controls), and evaluates evidence to confirm control design and operating effectiveness. The role also conducts third-party/vendor cybersecurity assessments with a focus on control validation and documented test results.

Primary Responsibilities

• Assessment Planning & Scoping: Plan and execute control testing engagements by defining scope, test approach, sampling, and evidence requirements for on-premises and cloud-based control environments.

• Control Testing & Validation (On-Prem & Cloud): Test control design and operating effectiveness using evidence-based procedures (e.g., walkthroughs, inquiry, inspection, observation, and re-performance) across identity, network, endpoint/server, data protection, logging/monitoring, vulnerability management, and configuration/change management for both on-premises and cloud platforms.

• CRI Profile Maturity Assessments: Perform CRI Profile maturity assessments by mapping controls to CRI requirements, evaluating evidence, determining maturity ratings, and documenting gaps and improvement opportunities.

• Third-Party/Vendor Control Assessments: Conduct third-party/vendor cybersecurity assessments with a focus on validating control design and operating effectiveness through questionnaires, interviews, and evidence review (e.g., SOC reports, policies/standards, procedures, test results) and documenting test conclusions and residual risk.

• SDLC Control Validation: Validate the effectiveness of security controls embedded in the SDLC by testing secure design and threat modeling, code and dependency scanning, build/release controls, change management, vulnerability remediation SLAs, and exception handling across on-prem and cloud delivery pipelines.

• Assessment Documentation & Reporting: Produce high-quality assessment workpapers, test scripts, and written results that clearly describe scope, procedures performed, evidence reviewed, exceptions identified, and final conclusions. Communicate results through formal reporting, including risk ratings, control gaps, and required remediation actions.

• Remediation Validation (Re-Test): Validate closure of assessment findings by re-testing remediated controls and confirming that corrective actions adequately address identified control deficiencies.

Requirements:

• Experience: 8-12 years of experience across risk management, information security, technology risk, IT audit, or IT operations, with demonstrated experience assessing control design and operating effectiveness. Prior audit/assurance experience is a plus.

• Hybrid Technical Depth (On-Prem & Cloud): Proven ability to test and validate controls across on-premises infrastructure (networks, servers, endpoints, identity platforms) and cloud environments, including cloud native services and shared-responsibility control models.

• Third-Party/Vendor Assessment Experience: Experience performing third-party cyber risk assessments, including evidence collection and review, control mapping to standards (e.g., NIST, CIS, ISO), risk rating, issue documentation, and remediation tracking.

• CRI Profile Expertise: Experience performing CRI Profile assessments and/or maturity evaluations, including control mapping, evidence validation, and maturity scoring.

• Documentation & Workpapers: Experience producing clear assessment documentation (workpapers), process/control narratives, test scripts, and issue statements that support risk ratings and remediation plans.

• Regulatory & Financial Services Knowledge: Knowledge of relevant banking and privacy regulations and supervisory expectations (e.g., FFIEC, OCC, FRB, Basel, GDPR, etc.), including expectations for technology risk management, cybersecurity governance, and third-party oversight within regulated financial institutions.

• SDLC / Secure Engineering Controls: Experience validating SDLC control effectiveness (e.g., secure design/threat modeling, SAST/DAST, dependency scanning, CI/CD build and release controls, change management, vulnerability remediation, and exceptions/waivers).

• Certifications: Professional certifications such as CISSP, CISM, CRISC, CISA, CGEIT, or cloud security certifications (e.g., CCSK/CCAK or equivalent). Vendor/third-party risk or audit/assurance credentials are a plus.

Education:

Bachelor’s degree in Information Security, Computer Science, Information Systems, or a closely related discipline (or equivalent related experience).

Mitsubishi UFJ Financial Group (MUFG) is an equal opportunity employer. We view our employees as our key assets as they are fundamental to our long-term growth and success. MUFG is committed to hiring based on merit and organsational fit, regardless of race, religion or gender.