Vulnerability and Configuration Assessments (VACA)

Job Description –– Vulnerability and Configuration Assessments (VACA) & Software Supply Chain Security

Location - Mumbai

Experience - 5 to 8 Years

Role Overview

The role is responsible for leading and managing the Bank's enterprise Vulnerability Assessment (VA), Configuration Assessment (CA), Software Bill of Materials (SBOM), and Cybersecurity Bill of Materials (CBOM) programs. The position will primarily focus on governance, operational oversight, remediation tracking, reporting, audit coordination, regulatory compliance, and continuous enhancement of the Bank's security posture.

The candidate will manage enterprise Vulnerability Management and Configuration Assessment operations using, while also governing SBOM and CBOM processes to strengthen software supply chain security across applications and infrastructure.

Key Responsibilities

Vulnerability Management & Configuration Assessment

•

Lead the Bank's Vulnerability Assessment (VA) and Configuration Assessment (CA) programs and associated BAU activities.

•

Oversee vulnerability identification, prioritization, remediation tracking, and timely reporting to application and infrastructure teams.

•

Monitor remediation SLAs and ensure closure of Critical and High-risk vulnerabilities.

•

Manage Configuration Assessment activities and track compliance against approved hardening standards.

•

Govern and maintain Secure Configuration Documents (SCDs) for existing and new technologies.

•

Reconcile enterprise asset inventory with vulnerability and configuration assessment coverage.

SBOM & CBOM Governance

•

Manage the Bank's SBOM and CBOM governance processes.

•

Coordinate with application owners and vendors for onboarding and maintenance of CycloneDX files.

•

Maintain reconciliation of application inventory against SBOM/CBOM coverage.

•

Monitor vulnerabilities in open-source libraries, software dependencies, and cybersecurity-related components.

Internal Information

•

Ensure timely notification and tracking of Critical and High vulnerabilities identified through SBOM/CBOM analysis.

Governance, Audit & Reporting

•

Prepare dashboards, management reports, and risk posture updates for leadership and governance forums.

•

Support audits, compliance reviews, and regulatory submissions by providing required evidence and documentation.

•

Review policies, governance standards, user access management, and operational procedures related to the program.

Tool & Team Management

•

Drive optimization and maximum utilization of and associated SBOM/CBOM tools.

•

Identify opportunities for automation, reporting enhancement, and operational improvements.

•

Lead and manage the operational team responsible for VA, CA, SBOM, and CBOM activities.

•

Coordinate with Infrastructure, Application, DevOps, Audit, Risk, Compliance, and Vendor teams.

Required Skills & Experience

•

Strong experience in Vulnerability Management, Configuration Assessment, and Security Governance.

•

Hands-on experience with Qualys.

•

Understanding SBOM, CBOM, CycloneDX standards, and software supply chain security.

•

Knowledge of secure configuration hardening, remediation governance, and risk prioritization.

•

Experience in audit handling, regulatory coordination, reporting, and stakeholder management.

•

Strong leadership, communication, and analytical skills.

Preferred Qualifications

•

Bachelor's degree in information security, Computer Science, Engineering, or related field.

•

Relevant certifications such as CISSP, CISM, CEH, Qualys certifications, or equivalent preferred.

•

Banking / BFSI domain experience preferred.