State Street’s Corporate Information Security (CIS) group plays a key role in the bank’s enterprise third party/vendor risk management function. The CIS vendor risk team is seeking an experienced Legal or third party risk professional to design and transform third party risk program with regard to contract terms and vendor oversight. Additionally they will conduct information securityrisk assessments of critical suppliers.
This role will:
- lead the negotiations on security terms and obligations of our vendors together with State Street’s Legal and Procurement groups to ensure that contracts with third parties reflect an appropriate level of control for IT/securityrisks. collaborate with supplier relationship managers to help document the inherent risks in certain third party relationship and the controls in place to ensure a secure and compliant engagement
- Design and transform vendor contract and SOW and how they impact security program operations including ongoing monitoring requirements.
- be responsible for reviewing security controls and/or regulatory compliance measures present at high and critical-rated Third Party Providers utilized by State Street
In this role, the candidate must be capable of influencing courageously at all levels of the organization to ensure that third party relationships strike an effective balance between business and security requirements.
- 6-10 years of prior IT Audit, Legal and/or Information Security experience, particularly in a role related to third party risk assessment
- Familiarity in reviewing SSAE16 and other independent reports, and a strong knowledge of applicable federal and state privacy/security laws and accreditation standards
- Proven ability to translate complex regulations (ISO, SOX, NIST, UK PRA, EU Data Directive, HIPAA, and PCI, etc) into clear, easily understood action plans
- Effective written and oral communication skills
- Strong negotiation skills
- Ability to train others in security concepts
- Ability to synthesize data about to information risks to identify hidden trends and themes, and to communicate this information to internal stakeholders
- Industry certification a plus (CISSP, CISA or CISM, etc)
- Degree in Law, management information systems, business administration, or related discipline