Third Party IT Security Risk Manager
5 - 7 years experience • Manufacturing / Diversified
Third Party IT SecurityRisk Manager
Great Neck, NY (the position may also be out of King of Prussia, PA)
This position is responsible for oversight and coordination of the Information Security Third Party Risk Management (TPRM) program within the Information Security team. This position has several principle responsibilities as outlined below. This position reports to the Director of Information Security Strategy and Governance.
ESSENTIAL DUTIES AND RESPONSIBILITIES
The Manager of the Information Security Third Party Risk Management program will be tasked with maturing the overall Third-Party Risk Management Security Program by working alongside the Director of Information Security Strategy and Governance and other team members. The Manager will be responsible for implementing a robust Third-Party Risk Management Program which includes vendor applications, software, systems, contractors and consultants. The Manager shall ensure sound security practices are built in throughout the third parties lifecycle.
• Develop and drive the implementation of security best practices and standards to mature the overall TPRM program
• Directly responsible for developing, implementing and assessing procedures and controls to ensure compliance with applicable regulatory and legal requirements, First Quality policies as well as leading industry practices
• Work with business and project teams to ensure security controls are built into IT functional specifications using leading industry practices
• Work as a Subject Matter Expert (SME) for the Information Security team and management to identify and address key third party information risks and areas of concerns associated with new third-party project role outs
• Drive appropriate stakeholder participation in evaluation of risk and control effectiveness
• Establish third party assessment criteria and perform third party risk analysis and self-assessments for various third party information systems and applications
• Ensure new vendors comply with HIPAA and future regulatory needs
• Establish and maintain Key Performance Indicators (KPIs)and Key Risk Indicators (KRIs)for the TPRM security program and initiatives
• Maintain key TPRM related dashboards for key security programs
• Maintain expertise on security trends through training, research and development in order to mitigate potential security exposures.
• Liaise with key functional teams such as HR, IT, Digital Strategy, Finance, Internal Audit, Enterprise Risk, Quality, Office of General Counsel and the Business to perform third party security reviews on their new and existing vendors and identify risks that require remediation
• Occasional travel: Up to 15%
To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
• Bachelor's degree in management information systems, computer science, cybersecurity or equivalent
• 5 - 7years' experience working directly in an Information Security or Information Technology department
• Big 4experience a plus
• Working knowledge of security controls in the following areas: cloud computing, mobile device management, identity and access management, emerging technologies
• Experience with building any or all of the following programs: Third Party Risk Management, Incident Response Management, Threat & Vulnerability Management, Data Classification
• Working knowledge of the following frameworks and regulations: ISO27001/2, SANS Top 20 Critical Security Controls, ISF Standard of Good Practice, HIPAA
• Ability to work independently with little direction and/or supervision
• Ability to prioritize and multitask and a work approach that supports flexibility and adaptability is paramount
• Excellent written and oral communications skills; ability to lead discussions, present ideas to audiences of all sizes, and interact with all levels of the organization
• Ability to communicate securityrisks to non-technical business stakeholders
• Proficiency with the Microsoft Office suite
• Professional security management certification: CompTIA Security +, CISSP, CISA, or equivalent or working towards certification is preferred
The interview process will start with a phone interview and then lead to an in-person interview.
The position is not a remote position. This person will have to work onsite.
US Citizens and those authorized to work in the US are encouraged to apply, we are unable to sponsor H1B candidates at this time.