Previous Job
Senior Analyst, Vendor Assessment
Ref No.: 17-00214
Location: Omaha, Nebraska
Position Type:Direct Placement
Start Date: 05/31/2017
Senior Analyst, Vendor Assessment

The Security Risk Management (SRM) Group, under the leadership of the Chief Information Security Officer (CISO), is tasked to protect information assets in support of business objectives and in conformity with policies. The Vendor Assessment Team is a core function of SRM and is primarily responsible for ensuring that Third party systems are engineered and designed in a secure manner.
The Senior Analyst, Vendor Assessment will be focused on the analysis and management of vendor risk and is primarily responsible for performing, reviewing, analyzing, and reporting on the results vendor risk assessments. The Senior Analyst, Vendor Assessment will work with internal business units, third party vendors, and security risk management to analyze and report risk.

  • Conduct third party risk assessments aligned with ISO and NIST standards
  • Review completed SIG questionnaires based on vendor inherent risk
  • Perform vendor documentation review and analysis
  • Perform onsite assessments of vendor facilities
  • Identify and measure risk associated with vendor security controls
  • Document risks and recommendations based on a vendors lack of controls
  • Risk rank findings based on likelihood and impact leveraging risk methodology
  • Document and report risk to Vendor Assessment management team, business partners, and vendors
  • Follow-up on open findings with vendors in repeat assessments if necessary
  • Influence the behavior of peers and build relationships with other teams without direct authority over those teams to promote security awareness and risk management
  • Assess current business practices and identify opportunities to promote effective third party risk management
  • Strong expertise and working knowledge of assessing controls against standards and frameworks such as ISO27001:2013, ISO 22301, NIST 800-53 Rev 4
  • Ability to perform in-depth information security related assessments of new and existing vendors leveraging SIG based questionnaires and evidence
  • Technical expertise to review a vendor's controls and document in business terms the risk, and recommendation to address the vendor's control deficiencies
  • Ability to document the assessment details, findings, and overall risk in a formal assessment report
  • Strong written, and verbal communication skills, strong presentation skills to communicate risks to multiple audiences with varying technical skillsets
  • Highly organized, self-motivated, and ability to manage multiple assessments at once
  • Deep analytical capabilities to appropriately analyze risk and report areas of concern
  • Minimum of 5 years conducting 3rd Party vendor risk assessments within an Information Security role
  • Strong working knowledge of IT Security Operations experience working with networks, applications, systems, or datacenters
  • B.A./B.S. degree in related discipline
  • Ability to perform problem solving in a complex demanding environment
  • Must be resourceful, creative, innovative, results driven, and adaptable
  • Solid problem solving and analytical skills
  • Competent designer of mixed-technology solutions
  • Ability to perform in a fast-paced multidisciplinary environment
  • Military education or experience may be considered in lieu of civilian requirements listed