Previous Job
Previous
Consultant – 3rd Party IT-Cyber Security Risk Assessor
Ref No.: 17-00133
Location: Jersey City, New Jersey
Consultant – 3rd Party IT-Cyber Security Risk Assessor
The 3rd Party IT-Cyber Security Risk Assessor, reporting to the Head of Cyber Security, will be performing security assessments of vendors, service providers and 3rd party companies that manage systems or information for end client.

Responsibilities:
  • Review services provided by vendor and define scope of assessment based on SIG questionnaire / AUP controls
  • Perform remote security assessments via WebEx or a select few onsite assessments in the New York area.
  • Review Assessments performed by 3rd party provider or our team in India.
  • Define appropriate risk levels and corrective actions
  • Report on assessment outcomes, risk level and associated recommendations
  • Input corrective action plans into system
  • Follow up on corrective action plans and review evidence for closure
  • Provide metrics on a regular basis (KPI / KRI)
  • Periodically reach out to vendors hosting company data regarding current threats to ensure they are taking necessary steps to reduce exposure.

Qualifications:
  • Bachelor of Computer Science degree from an accredited college or university, or equivalent work experience
  • Minimum 5 years professional work experience, including a minimum of 2 years in an Information Security role or as an IT Auditor
  • Should have managed a high volume (over 200) of third party information security risk assessments. Coordinated with internal and external assessors to ensure assessments went according to schedule. Reviewed the findings from assessments for applicability and calculated the risk. Presented the findings to the business line and law firms, explained the risk and assessed the firms remediation plans to ensure they adequately addressed the risk / issues identified. Reviewed evidence provided by the firms for closure of the issues.
  • Should have conducted several IT vendor security risk assessments using SIG/AUP or other similar proprietary questionnaire / control matrix for two global banks to test if service provider's environment met the bank's standards on IT security policies, encryption standards, incident management, application development, privacy requirements, logical, physical and environmental security, operations, business continuity, incident management controls as well as other requirements. Assessments varied from a few hour pre-assessment of their environment over the phone to a detailed multi day onsite review. Scheduled debrief calls with the bank and vendor to discuss the risks posed by the findings to determine if remediation plans were necessary.
  • Hands on experience with ISO 27001, NIST 800, IT and FFIEC cybersecurity risk assessments
  • Strong written/verbal communication skills, and organizational and work documentation proficiency
  • Good communicator with demonstrated ability to pass messages in a clear and concise manner
  • Ability to adapt to changing priorities, handle multiple assignments, and adhere to strict deadlines
  • Ability to coordinate actions from several different teams
  • Experience performing IT audits or IT security risk assessments
  • Experience with Standardized Information Gathering (SIG) questionnaire and Agreed Upon Procedures (AUP) or other vendor assessment questionnaire / controls preferred.
  • Experience with Hiperos or other vendor management / GRC tool (Archer, MetricStream, Process Unity).
  • CISSP, CISM or CISA certification