Working within the IT organization and reporting to the Associate Director of Governance, Risk Compliance (“GRC”), the Analyst is responsible to help support the day-to-day operations related to the Vendor Risk Management Program. You will assist with vendor risk analysis to ensure vendors have the proper cyber and data protection controls to minimize exposure risk to the firm.
You will work with a team of security professionals to ensure that the firm’s third-party vendors are cyber security and protecting data in accordance with regulatory and legislative requirements. All of this with the goal of minimizing the firm’s cyber risk exposure.
- Respond to incoming requests for vendor assessment submitted by business owners.
- Analyze and asses initial scope of exposure by meeting with business owners.
- Coordinate all information and document gathering with vendor point of contact.
- Review and analyze all vendor submitted evidence and artifacts to determine control posture.
- Finalize and issue recommendation and net risk score.
- Work with legal contracts team to assist with finalizing agreement to include appropriate security and data protection language.
- Tag vendor with appropriate risk tier to determine next reassessment date.
- Monitor vendors in Security Scorecard for real time monitoring and remediation follow up.
- Work with vendors to remediate BitSight or Security Scorecard vulnerabilities.
- Manage VRM lifecycle within the vendor risk management platform.
- Ensure that all policies and standards are regularly reviewed and updated to be in line with regulatory and control requirements.
- Design and implement an effective exception process to facilitate and manage requests for non-compliance with policies and standards.
- Coordinate with legal, compliance functions to ensure proper implementation of data privacy legislation and disclosure.
- Ensure that risk factors and events are addressed in a cost-effective manner and in line with business objectives.
- Manage tracking of identified findings and actions to closure and reporting to leadership.
- Ability to step into a team lead role in the future.
- Bachelor’s degree.
- Minimum of 4 to 7 years of relevant experience, preferably in financial services.
- Strong background in information technology with a clear understanding of the challenges of information security.
- Relevant experience in the GRC or Vendor Risk Management space. Good understanding of information security risk management frameworks such as ISO 27001, COBIT, NIST, NIST 800-53, etc.
- Strong written and verbal communication and presentation skills, and ability to work with all levels of the organization.
- Excellent leadership and teamwork skills.
- Team player with the ability to work independently.
- Resourceful, energetic, self-starter, flexible, goal-oriented
- Strong personal integrity
- Master’s degree
- Experience having implemented or worked with OneTrust Vendor Risk Management solution.
- Experience with Security Scorecard.
- Demonstrated understanding of secure, complex information systems’ environment in a global financial service sell side environment.
- Direct experience with regulatory compliance reviews and examinations.
- Current Information Security Certification (e.g. CISSP, CISM, CISA, or related security certification) preferred.
- Project and program management skills.
- Experience working with the Service Now vendor risk management module preferred.
- Ability to communicate technical and security-related concepts to a broad range of technical and non-technical staff, security vendors, consultants and senior management.
Physical requirements/Working conditions:
- Climate controlled office environment
- Minimal physical requirements other than occasional light lifting of boxed materials
- Dynamic, time-sensitive environment