The Cincinnati Insurance Companies' IT department is currently seeking a third party risk manager to assist in the management of information security risks associated with the company’s vendor relationships, along with day–to–day oversight for the portfolio of IT vendors.
Starting Rate of Pay: $105,000 - $131,000 depending on knowledge and skills
- conduct information security risk assessments of vendors and vendor software, based on company standards and risk appetite, leveraging demonstrated working knowledge of industry security practices
- make information security risk acceptance decisions on behalf of the company, within limits approved by management
- review contracts, project documentation, system design documents, vendor security policies and other vendor security references (i.e. SOC II type 2, SIG, AUP, PCI ROC, BitSight, etc.) to determine the extent, type, and scope of risks of the vendor relationship.
- provide security-related contract clause change recommendations and communicate the need for the changes to business, contract administration, legal and IT areas
- coordinate with IT architects, project teams and vendors to bring system designs into alignment with company security standards
- follow contract review procedures to establish company records of the risk management process
- modify vendor risk procedures, contract templates and other tools to support continuous improvement of the vendor risk management program
- support IT management relative to product ownership responsibility, product license needs, license and support renewal process
- follow vendor governance policies and procedures that drive the behaviors of those individuals/organizations
- foster an organization for internal relationship building and alignment.
- provide training to IT and business units on vendor management practices
- consult with business partners and other IT service areas in the requirement gathering process
- demonstrate an understanding of fundamental aspects of information security (i.e. data classification, inventories, technical/ procedural/ physical control categories)
- demonstrate an understanding of information security standards and regulations (e.g., ISO 27001/27002, NIST, FFIEC, etc.), and commonly used concepts, practices and procedures within the information security and privacy fields
Education: bachelor’s degree or technical institute training or any combination of education and experience that would provide an equivalent background