About this role:
The Lead Information Security Assurance Analyst will assist in supporting UPSs' Third Party Risk Management Program (TPRM). They will conduct complex third party risk security assurance and compliance reviews of UPS vendors. They will prepare and initiate a third party risk assessment facilitated by electronic surveys and questionnaire assessments, interviews and security reviews. They will be required to determine a Vendor's Information Security compliance posture based on the contractual agreement and where applicable, governing regulations or laws. In some cases, the Lead Information Security Analyst will be required to conduct on-site audits, which may include travel. They will work as part of the Vendor Assurance Team and will be called upon to contribute new ideas, solve complex problems, coach and mentor other analysts, innovate processes and streamline methodologies to increase and improve vendor audit effectiveness and information security compliance.
Vendor Assurance and Auditing
- Conduct complex third party risk security assurance on UPS vendors and supply chain partners.
- Develop new methodologies to search, data mine enterprise vendor database for "high value-high priority" third party vendors. Prioritize vendor audit lists based on Information Security policy criteria.
- Establish vendor relationships with key points of contact, establish communication channels. Initiate audit overview meetings and manage audit calendar and schedule.
- Provide executive status reports on assurance program activities, vendor controls deficiencies, and corrective action plans. Identify methods and strategies to overcome program and process challenges.
- Evaluate emerging technologies and cyber threats to support maintenance and development of new information security requirements for third parties and supply chain partners and ensure UPS's information assets are continuously protected following UPS Information Security standards and compliance obligations.
- Ensure all vendor controls meet company standards for confidentiality, integrity, availability and defense in depth security principles. Provide immediate security control remediation response in all cases where vendors are found to be deficient or non-compliant.
- Research and communicate important Information Security, and Regulatory issues to Information Security Management.
- Coach and mentor other InfoSec analysts
- Must have the ability to plan, organize and prioritize personal work to meet deliverables and deadlines.
- Experience with IT Auditing fundamentals, Information Security Controls, Vendor Cybersecurity Analysis,
- Experience using Shared Assessments Program Tools and/or questionnaire based vendor auditing tools, GRC tools and technologies for audit support and vendor governance
- Knowledge of Auditing Controls, Business Impact & Risk Analysis, Security Risk Management and Security Risk Mitigation
- Industry knowledge of vendor reviews
- 3 or more years of relevant assurance, compliance and/or audit experience at a large organization.
- 1 or more years of experience working with Third Party/Vendor Assurance
- Demonstrated experience leading and collaborating with highly motivated and skilled teams. Experience developing and leading highly effective teams
- The ability to plan, organize and prioritize personal work to meet deliverables and deadlines
- Experience in using Shared Assessments Program Tools and/or questionnaire based vendor auditing tools
- Experience using IRM or GRC tools and technologies for audit support and vendor governance management
- Demonstrated advanced verbal and written communication skills
- The desired Lead Security Vendor Assurance Analyst will possess a degree in IT Management, Information Systems, Risk Management, Auditing, Computer Science, or related field or the equivalent in education and work experience.
- Bachelor's degree or equivalent.