Systems Risk Analyst

At the full performance level, you will serve as a Systems Risk Analyst in the Compliance Branch (Branch) of the Division of Market Oversight (DMO), as senior staff of the Branch's Market Continuity Program (MCP). Using advanced knowledge of information technology (IT) concepts and of standards, guidelines, and best practices regarding system safeguards and security control reviews, you will conduct the CFTC's oversight of compliance by Designated Contract Markets (DCMs), Swap Data Repositories (SDRs), and Swap Execution Facilities (SEFs) with the system safeguards requirements of the Commodity Exchange Act (Act) and CFTC regulations. Additionally you will;

Plan and conduct System Safeguards Examinations (SSEs) and Targeted Maturity Assessments (TMAs) of all DCMs, SDRs, and SEFs, to evaluate the reliability, cyber and physical security, adequate scalable capacity, internal oversight, and testing of their automated trading and data reporting systems, and the compliance of their programs of system safeguards risk analysis and oversight with the requirements of the Act and CFTC regulations.

Serve as one of DMO's senior IT and system safeguards experts for performance of system safeguards oversight that is complex, sensitive, and of high importance to the mission of the CFTC.

Serve as an expert on teams conducting system safeguards examinations (SSEs) of DCMs, SEFs, and SDRs to assess their compliance with the system safeguards requirements of the Act and Commission regulations. SSEs address DCM, SEF,  and SDR compliance with core principles requiring the regulatee to: establish and maintain   a program of risk oversight to identify and minimize sources of operational risk through development of appropriate controls and procedures and development of automated systems that are reliable, secure, and have adequate scalable capacity; establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery that allow for the timely recovery and resumption of operations and the fulfillment of the duties and obligations of the regulatee; and periodically conduct tests to verify that backup resources are sufficient.

SSEs focus on seven risk oversight program areas, including:

1. Enterprise risk management and governance;
2. Information security;
3. Business continuity and disaster recovery, including pandemic planning;
4. Capacity and performance planning;
5. Systems operations;
6. Systems development and quality assurance; and
7. Physical security and environmental

In leading or participating on an SSE or TMA team, the incumbent will:

• organize and conduct review of documents provided by the DCM, SDR, or SEF examined;
• conduct extended on-site interviews, as a senior expert on the interview team, with regulatee senior management and technical staff;
• apply extensive, expert knowledge of risk oversight, IT principles, appropriate controls and procedures, and best practices for automated systems to the analysis of information developed in the course of the SSE or TMA, and play a significant participatory role at an expert level in MCP staff determination of appropriate findings and recommendations;
• draft a detailed report of MCP findings and recommendations;
• participate as a senior-level expert in communicating findings and recommendations to senior management and technical staff of the DCM, SDR, or SEF examined; and
• assess the efficacy and timeliness of corrective action taken by the DCM, SDR, or SEF

The incumbent represents the MCP on DMO teams reviewing applications from entities seeking designation as a DCM or registration as an SDR or SEF.  The incumbent serves as an expert in technical reviews by MCP staff of the applicant's compliance with system safeguards requirements for entities seeking the designation or registration in question.  The incumbent also expertly communicates with applicants during the registration or designation process and participates as a senior-level expert in MCP staff evaluation of applicant sufficiency in light of applicable system safeguards requirements, and drafts system safeguards-related portions of related reports and registration or designation orders. The incumbent may be required to independently conduct such technical reviews, including on-site registered entity and data center visits.

There are a few openings for this position in Washington, DC, Chicago, and New York.