09 - Senior Specialist, IT Risk and Compliance

Job Description

Summary

We are seeking a highly motivated and experienced Senior Analyst to join our Third Party IT Risk Management team. This role is responsible for identifying, assessing, and mitigating information technology risks associated with our third-party relationships. The ideal candidate will possess a strong understanding of IT risk management frameworks, cybersecurity principles, and relevant regulatory requirements. You will play a crucial role in protecting our organization's data and systems by ensuring our vendors and partners adhere to our security standards.

Detailed Description

Performs tasks such as, but not limited to, the following:

- - Vendor Risk Assessment: Conduct comprehensive IT risk assessments of new and existing third-party vendors. This includes evaluating their security policies, procedures, and controls against industry best practices and our internal security requirements.

- Due Diligence: Perform initial and ongoing due diligence on third-party vendors to ensure their security posture remains strong throughout the vendor lifecycle.

- Contract Review: Collaborate with legal and procurement teams to review and negotiate IT security-related clauses in third-party contracts and agreements.

- Continuous Monitoring: Implement and manage a continuous monitoring program to track the security performance of critical vendors. This includes analyzing security ratings, vulnerability reports, and incident notifications.

- Incident Response: Act as a key point of contact for any security incidents involving third-party vendors. This includes coordinating response efforts and ensuring timely resolution.

- Reporting: Develop and maintain risk dashboards and reports for senior management, providing a clear view of the third-party risk landscape.

- Policy and Procedure Development:Contribute to the development and enhancement of our third-party IT risk management policies, standards, and procedures

Knowledge/Skills/Competencies

- - Education: Bachelor's degree in Information Technology, Cybersecurity, Computer Science, or a related field.

- Experience: 10-15 years of experience in IT risk management, cybersecurity, or a related field, with a specific focus on third-party risk management.

- Framework Knowledge: In-depth knowledge of IT risk management frameworks such as NIST (800-53, CSF), ISO 27001, and COBIT.

- Regulatory Familiarity: Understanding of relevant data privacy and protection regulations (e.g., GDPR, CCPA).

- Technical Skills:

- Proficiency with third-party risk management tools and platforms.

- Strong understanding of network security, cloud security, application security, and data protection principles.

- Experience with security assessment methodologies and tools.

- Soft Skills:

- Excellent analytical and problem-solving skills.

- Strong written and verbal communication skills, with the ability to effectively communicate technical concepts to both technical and non-technical audiences.

- Proven ability to manage multiple projects and priorities in a fast-paced environment.

- Strong interpersonal skills with the ability to build and maintain effective working relationships with internal and external stakeholders.

Physical Demands

- Duties of this position are performed in a normal office environment.
- Duties may require extended periods of sitting and sustained visual concentration on a computer monitor or on numbers and other detailed data. Repetitive manual movements (e.g., data entry, using a computer mouse, using a calculator, etc.) are frequently required.

Typical Experience

- - Certifications: Professional certifications such as CRISC, CISM, CISA, or CISSP are highly desirable.

- Industry Experience: Experience working in a manufacturing, and regulated industry (e.g., finance, healthcare) is a plus.

Typical Education

Education: Bachelor's degree in Information Technology, Cybersecurity, Computer Science, or a related field.

Experience: 10-15 years of experience in IT risk management, cybersecurity, or a related field, with a specific focus on third-party risk management.

Notes

This job description is not intended to be an exhaustive list of all duties and responsibilities of the position. Employees are held accountable for all duties of the job. Job duties and the % of time identified for any function are subject to change at any time.

---