The Vendor Information Risk Management team within the CRCO is a key control function within the overall Risk Management process at Bloomberg. We are responsible for reviewing and assessing security controls of third parties to ensure the security and integrity of our data while in the possession of our vendors and partners. As part of the ongoing third party assessments performed - we identify issues, assign appropriate risk ratings, and document them according to our Issue Management process.
What's The Role?
We are looking for a Vendor Information Risk Management Analyst with a proven background in Information Security and Risk Management to help improve our overall Vendor Information Risk Management program. You will drive assessment and remediation activities across our vendor population.
You will be responsible for ensuring Bloomberg data remains secure and all risks/vulnerabilities/defects are managed, tracked, and remediated according to our processes and policy.
We'll Trust You To:
- Have experience with risk management processes, along with an understanding of the following: IT risk, security architecture, external/internal audit, and accepted security frameworks/standards (e.g. NIST, ISO, etc.).
- Conduct risk assessments for vendors, identify and document control gaps, and present results to support management action, escalation, and risk acceptance processes
- Partner with businesses across the enterprise to evaluate the information security risks associated with their vendor engagements.
- Review vendor due diligence materials (i.e. SSAE 16 reports, penetration testing reports, etc.), identify potential issues, and follow up for unresolved issues
- Interpret, identify, and prioritize risk based on impact and likelihood
- Work directly with key partners to: facilitate information risk analysis and risk management processes; identify acceptable levels of risk; and establish roles and responsibilities with regards to information risk management.
- Partner with various support groups and vendors to resolve appropriate risk remediation activities to address identified risks
- Validate evidence from vendors prior to closing out remediation plans
- Develop Senior Management reports including defining and tracking program based metrics (e.g., assessments completed within SLA, challenges, etc.)
- In partnership with our key internal partners (Vendor Management, Procurement, Legal, etc.), identify process and technology enhancements to drive efficiencies
- Ensure close coordination with Bloomberg Risk Management on aligning risks, issues, enterprise reporting, etc.
You’ll Need To Have:
- Bachelor’s degree in Information Technology, Information Security, Business or Risk Management (or equivalent experience)
- 7 plus years related work experience required
- Comprehensive Knowledge of Information Security standards and frameworks (NIST CSF, 800-53, Shared Assessments, ISO, etc.) with an understanding of the "why" behind the controls and not just the controls themselves.
- Experience assessing cloud based service providers
- CISSP, CISM or other Information Security certifications
- IT audit background and practical knowledge of a variety of technologies including operating systems, server, network and web infrastructure, database architectures, intrusion detection, and prevention systems
- Experience with Security best practices relevant to firewalls, systems, network architecture
- Understanding of software development life-cycle and application security, Infrastructure-as-a-Service, and Software-as-a-Service security concepts
- Organized and detailed with ability to understand big picture and make risk appropriate trade-offs.
- Experience with Governance, Risk, and Compliance tools (e.g. Archer, MetricsStream, etc.)
- Strong interpersonal and oral/written communication skills with the ability to build relationships at all levels
- Experience handling client/partner relationships and expectations
- Ability to negotiate
- Able to work independently
- Strong analysis and problem solving skills