Job Description :
?Business Overview:
The 3rd Party Security Risk Assessor, reporting to the Head of Cyber Security, will be performing security assessments of vendors, service providers and 3rd party companies that manage systems or information for the client.
Responsibilities:
Review services provided by vendor and define scope of assessment based on SIG questionnaire / AUP controls
Perform remote security assessments via WebEx or a select few onsite assessments in the New York area.
Review Assessments performed by 3rd party provider or our team in India.
Define appropriate risk levels and corrective actions
Report on assessment outcomes, risk level and associated recommendations
Input corrective action plans into system
Follow up on corrective action plans and review evidence for closure
Provide metrics on a regular basis (KPI / KRI)
Periodically reach out to vendors hosting our data regarding current threats to ensure they are taking necessary steps to reduce exposure.
Qualifications:
Bachelor of Computer Science degree from an accredited college or university, or equivalent work experience
Minimum 5 years professional work experience, including a minimum of 2 years in an Information Security role or an IT Auditor role
Strong written/verbal communication skills, and organizational and work documentation proficiency
Good communicator with demonstrated ability to pass messages in a clear and concise manner
Ability to adapt to changing priorities, handle multiple assignments, and adhere to strict deadlines
Ability to coordinate actions from several different teams
Experience performing IT audits or IT security risk assessments
Experience with Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP) or other vendor assessment questionnaire / controls preferred.
Experience with Hiperos or other vendor management / GRC tool (Archer, MetricStream, Process Unity
CISSP, CISM or CISA certification
Managed the team responsible for conducting information security assessments of vendors and governing internal implementation and usage of various technologies following a risk based approach
Conducted complex onsite reviews following a risk based approach to evaluate the adequacy and effectiveness of third party vendor controls around information security and applicable regulatory programs, identification of security gaps, assess the applicable risk, and determine residual risk
Experience in audit, security and regulatory frameworks, and reliance testing including ISO 27001, NIST 800, GLBA, SSAE 16 and ISAE 3402, SIG and AUP
Scoped, managed, and reviewed field work performed by 3rd party consultants around Foreign-Based Service Providers (FBSP) with offshore locations
Executed quality assurance reviews of peer work papers, reports, and adherence to the review process
Managed over 200 third party information security risk assessments. Coordinated with internal and external assessors to ensure assessments went according to schedule. Reviewed the findings from assessments for applicability and calculated the risk. Presented the findings to the business line and law firms, explained the risk and assessed the firms remediation plans to ensure they adequately addressed the risk / issues identified. Reviewed evidence provided by the firms for closure of the issues.
Conducted several IT vendor security risk assessments using SIG/AUP or other similar proprietary questionnaire / control matrix for two global banks to test if service provider’s environment met the bank’s standards on IT security policies, encryption standards, incident management, application development, privacy requirements, logical, physical and environmental security, operations, business continuity, incident management controls as well as other requirements. Assessments varied from a few hour pre-assessment of their environment over the phone to a detailed multi day onsite review. Scheduled debrief calls with the bank and vendor to discuss the risks posed by the findings to determine if remediation plans were necessary.
Expertise/Hands On Experience:
Vendor Security Management
Privacy and IT Audit
Hands on experience with ISO 27001, NIST 800, IT and FFIEC cybersecurity risk assessments
CISA,CISM,CISSP if possible