Security Architecture

Key Accountabilities (1)

Why This Role: Security governance is currently squeezed into regular domain reviews. Security requirements are reactive ("add security to the design") rather than proactive ("here are the security standards, build against them"). Payment Card Industry Data Security Standard (PCI-DSS), Anti-Money Laundering (AML), and banking secrecy regulations require dedicated security governance. This role ensures security standards are published upfront, embedded in reference architectures, and consistently applied across all designs.

Responsibilities:

+ Security Reference Architectures: Develop and maintain reference architectures for each domain that embed security controls (authentication, authorization, encryption, audit, secrets management). SAs use these as starting points, not as afterthought add-ons.

+ Security Standards & Checklists: Publish domain-specific security checklists (e.g., "Building a microservice in Domain 5? Here are the 12 required security controls"). Tier 1 self-approval checklists include security checklist items.

+ Security Review in Tier 2/Tier 3: Participate in Tier 2 reviews (with Domain EA) and Tier 3 reviews (with ARB) to assess architectural security. This is dialogue, not veto — Security Lead and Domain Lead solve design problems together.

+ Threat Modeling: Conduct threat modeling workshops for high-risk designs (Tier 3, or any design involving payment/regulatory data). Use STRIDE or similar framework. Document threats and mitigations in the architecture decision record.

+ Security Policy Development: Work with Compliance, Risk, and IT Security teams to translate regulatory requirements (SBV banking secrecy, PCI-DSS, AML) into architectural policies and standards.

+ Third-Party Security Assessment: Lead security architecture assessments for new vendors, cloud platforms, or technology selections. Provide security evaluation input to PoC process (works with Emerging Tech Lead).

+ ARB Participation: Attend every ARB meeting to present security architecture updates, discuss security review findings, and provide security perspective on high-complexity designs.

+ Incident Root-Cause Liaison: When security incidents occur, work with IR team to identify whether the root cause was an architectural control gap. Feed findings back into reference architecture updates.

Success Metrics (6-month review):Security reference architectures developed for 2–3 high-risk domains (Domain 1, Domain 4, Domain 5)Security checklists published and integrated into Tier 1 self-approval workflow% of Tier 2/Tier 3 designs with documented threat modeling: 100% (for high-risk designs)Spot-check audits find security control compliance: 95%+No post-implementation security architecture gaps discovered in spot-check audits

Success Profile - Qualification and Experiences

Qualifications
- Graduated in Information Technology or Banking
Work Experience
- Understand the bank's IT development strategy and roadmap in the next 5 years
- Able to propose solution architecture for some main business areas of the bank such as Payment, BPM, DW, Risks, Lending...
- Ability to coordinate with other units to carry out the work from ideation, to design and operation.
- Having expertise, deep understanding of analysis, design, selection of technical solutions
- At least 8 years of experience in practical implementation of many key solutions in end-to-end banking from business to application and deployment layer such as card, core, internet banking, data warehouse...
- Strong verbal and written communication, collaboration, and leadership skills with Technical teams and Business teams
- Experience guiding/teaching others in architecture principles, such as roadmaps, technical standards, non-functional requirements, and solution diagramming/documentation
- Demonstrated success working with standard software development lifecycle models, deliverables/artifacts and tools, SOA concepts and design patterns
- Experience designing scalable/reliable/flexible/secure solutions across heterogeneous hardware platforms , operating systems, middlewares, and infrastructure technologies
- Technical experience with architecture, technology stacks, or overall architectural governance
- Experience with cloud computing and/or other virtualization technologies
- Experience establishing and documenting standards, guidelines, and best practices

Language level
English, according to TCB's regulations in each period