Sr. Analyst, Vendor Technology Risk Management
The Information SecurityRisk Management (ISRM) team is responsible for the development and maintenance of Charles Schwab’s Information Security program, including the Information Security Policy, which is periodically reviewed and approved by the Board, the creation and execution of the information security strategy, and the implementation of the information security framework. The team is also responsible for various security assurance and consulting services including testing of applications and systems for vulnerabilities, conducting risk and compliance assessments, performing security compliance assessments for vendors, and providing information security requirements and reviews for legal contracts.
The Schwab Vendor TechnologyRisk Management (VTRM) Sr. Analyst will be a key member of the Vendor TechnologyRisk Management team. This position is responsible for the program management and enhancement of the Schwab Vendor TechnologyRisk Management program. The main objective for this position is to ensure the protection of Schwab sensitive information that a Vendor may access, process and/or store while providing services for or on behalf of Schwab. The VTRM Sr. Analyst will assist the Managing Director of Vendor TechnologyRisk Management within Information SecurityRisk Management in day-to-day operations to ensure that the requirements of the Schwab Information Security Policy are carried out for any technology functions delegated to Schwab vendors, or for the protection of Schwab sensitive information entrusted to vendors, and to ensure that partner organizations such as the Vendor Management Office (VMO) and the Office of Corporate Counsel (OCC) are adequately supported in their efforts to conduct oversight of vendors.
What you’ll do:
The Schwab VTRM Sr. Analyst plays the key role in vendor controls review/recommendation, vendor selection recommendation, contractlanguage negotiation, vendor deficiency management, vendor cyberincident management and vendor Information Security oversight program enhancement. These responsibilities are a critical component in enabling Schwab to evolve its vendor security oversight program, enhancing visibility of Information Security and reducing information securityrisk for Schwab clients. The Schwab Sr. VTRM Analyst partners closely with Corporate Vendor Management, Schwab Legal and Business Vendor Owners to ensure information security program/practice compliance of Schwab vendors.
Key job responsibilities of the Schwab (VTRM) Sr. Analyst will include:
- Serve as theresponsible subject matter expert on vendorcybersecurityriskwhich includes:
- leading risk identification, quantification, and management efforts, and
- Providing risk evaluation and assessment of likelihood and impact of security findings, vulnerabilities and exceptions.
- Drive all aspects of Information Security vendor assessments which include scheduling and conducting vendor Information Security assessments (i.e. questionnaires, third party securityauditreports, onsite assessments, etc.).
- Assess completed questionnaires and supporting materials to ensure vendor’s responses are complete and meet Schwab expectations.
- Identify deficiencies and vulnerabilities associated with the Vendor Information Security Oversight program.
- Document findings and work with Schwab Corporate Vendor Management and Schwab Business Owners to resolve findings through remediation plans or, alternatively, by seeking Non-Compliance Acceptance approvals.
- Escalate issues associated with vendors, as needed.
- Assess remediation plans and non-compliance acceptances across multiple business lines where Information Security standards compliance cannot be achieved.
- Validate evidence from vendor, before findings are closed.
- Coordinate Information Securityincident managementevents, incident data collection, remediation activities and management reporting of vendor security incidents.
- Identify and escalate changes in State and Federal legislation and regulations that will affect Information Security policy, standards and procedures.
- Identify opportunities for process improvements to deliver increasing operational efficiency in the processes.
- Identify opportunities for improving the vendor Information Securityrisk posture as well as Schwab’s vendor risk management processes, including expanded monitoring, KPI tracking, etc.
- Support internal education and best practices sharing with peers and colleagues, as well as vendor education & awareness, as needed.
- Partner with Schwab Legal for inclusion/negotiation of appropriate Information Securitycontractlanguage within vendor agreements (new, renewal and amendments).
- Participate in planning and strategy discussions around program development and management priorities including generating ideas, identifying trends and developing recommendations to shape strategy and objectives.
- Develop and cultivate partnerships with functional and vendor-facing business units across the Charles Schwab enterprise.
- Develop compelling presentations and supporting communication to a range of audiences.
- Perform other duties and special projects, as assigned.
What you have:
- A Bachelor’s degree
- 8+ years of IT and/or Information Securityexperience in large, highly-regulated organizations.
- 5+ years of IT securityexperience, in securityrisk and compliance assessments for applications, infrastructure, and vendor / third parties, review of technical security requirements, review, approve and track security exceptions and remediation.
- 3+ years of Vendor Security Oversight experience, specific to technology vendors and service providers.
- Exhibit strong relationship management and interpersonal skills.
- Project management skills, with a track record of execution across multiple functions.
- Excellent written and oral communication skills, including being able to synthesize data, develop recommendations, and influence and persuade partners.
- Strong analytical and problem-solving skills with the ability to identify opportunities and execute to meet strategic objectives.
- Mature understanding of information security “best practices” including principles, security protocols and standards.
- Strong critical thinking skills; ability to quickly comprehend problems, develop hypotheses, draw logical conclusions, develop solutions, and respond accordingly.
- Proven history of being a self-starter: proactively identifying problems, determining pragmatic solutions, identifying and obtaining needed resources, and executing with little or no supervision.
- Advanced Information Security certification (CISSP, CTPRP or equivalent is preferred, but CISM, CEH, or similar certifications are also useful)
The following qualifications are strongly preferred:
- Financial Services experience
What you’ll get:
- Everyday Wellness: Healthy Rewards, Onsite Fitness Classes, Healthy Choices, Wellness Champions
- Financial Fitness: 401k Match, Employee Discounts, Personalized advice, Brokerage discounts
- Work/Life Balance: Sabbatical, New Mothers returning to work Program, Tuition Reimbursement Programs, Time off to volunteer
- Inclusion: Employee Resource Groups, Commitment to diversity, Strategic partnerships
- Not just a job, but a career, with an opportunity to do the best work of your life