Advanced Cybersecurity 3rd Party Risk Management

Description

JOB TITLE: Advanced Cybersecurity 3 rd Party Risk Management
SALARY RANGE: $140,828 - $166,223
HAY POINTS: 634
DEPT/DIV: Information Technology / Cybersecurity
SUPERVISOR: Cybersecurity Officer- Supply Chain & Compliance
LOCATION: Vario 2 Broadway, New York, NY 10004
HOURS OF WORK: 9:00 am - 5:30 pm (7.5 hours/day or as required)

This position is eligible for telework which is currently two day per week. New hires are eligible to apply 30 days after their effective date of hire.

SUMMARY:

The role will manage vendor risks and assessments to anticipate, identify, monitor, and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed, and mitigated to acceptable levels.
This role must ensure that the organization's vendor ecosystem is properly evaluated, assessed, and managed to minimize risk exposure and risk impacts to the business.

RESPONSIBILITIES:

• Assessing the information security posture of third parties (service providers, business partners, and Third-Party Administrators (TPAs)) and coordinating the overall execution and delivery of assessments and related remediation of any findings
• Identifying and tracking continuous monitoring activities to ensure the risks associated with individual third parties have not changed or exceeded risk tolerance thresholds, and where it has exceeded approved thresholds, agree on remediation plans with the counterparty.
• Participate in cross-functional teams to promote information security polices and best practices and address third-party security compliance issues.
• Develop and implement cybersecurity policies and procedures to protect information assets.
• Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks, such as NIST, ISO, and CSA
• Develop and maintain a comprehensive inventory of third-party vendors and suppliers and track their cybersecurity risk profiles.
• Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions.
• Coordinate, plan, and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls.
• Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any concerns to management.
• Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks.
• Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third-party risk management.
• Continuously monitor information security and privacy regulation changes, Design and implement process improvements to ensure organizational adaptation of those changes, and compliance.
• Perform IT Security assurance/compliance reviews as appropriate.
• Identify enhancements and process efficiencies to keep the assessment program in line with best practices.
• Provides technical advice to project teams and mentors less experienced staff to foster talent development.
• Performs other duties and tasks as assigned.
• May need to work outside of normal work hours supporting 24/7 operations (i.e., evenings and weekends)
• Travel may be required to other MTA locations or other external sites.
• Regular and reliable attendance is expected and required.
• Observing the work performed by the contractor.
• Reviewing invoices and approving them if the work meets contractual standards.
• Addressing performance issues with the contractor when possible
• Escalating issues to other parties as needed.

Qualifications:

Education and Experience:

• Education: bachelor's degree.
• Experience: At least 8 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
• Certification(s): Requires at least one certification in the current platform/domain/technical skill. Possible certifications could be, but are not limited to: Certified Information Security Professional (CISSP), or Global Information Assurance Certification (GIAC), or Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC), or Certified Information Systems Auditor (CISA), or other related certification(s)

Technical Skills:

• Expert/Highly Proficient, experience with the implementation and maturing of Cyber frameworks, MITRE ATTACK Framework, etc.
• Strong background and understanding of all cybersecurity domains.
• Expert/Highly Proficient, experience in IT risk management or audit
• Expert/Highly Proficient, Experience working with third-party risk and vendor management.
• One or more of the following certifications are highly desired: CRISC, CISA, CISSP, CRISC or other related certification(s), a plus.
• Comprehensive understanding of cybersecurity principles, frameworks, and regulations (e.g., ITIL, NIST, MITRE, COBIT, COSO, HITRUST, SOC reports, CSF, ISO, GDPR, PCI)
• Extensive hands-on experience with GRC tools.
• Solid working knowledge of IT security and infrastructure.
• Ability to develop a rapport with all employees to cultivate an environment conducive to reporting possible policy violations/risks. Ability to competently follow through on investigating such potential violations.
• Proven ability to assess third-party risk programs, evaluate organizational needs, and implement required changes.
• Ability to work independently and strategically.
• Demonstrated expertise in identifying and analyzing risks and developing effective mitigation strategies.
• Strong technical knowledge and diverse skillset to understand various technologies, systems, and potential risks.
• Excellent critical thinking, problem-solving, and decision-making skills.
• Strong interpersonal and communication skills, with the ability to effectively collaborate with both technical and non-technical peers.
• Proven ability to manage multiple projects simultaneously and prioritize tasks based on urgency and impact.
• Supply Chain Risk Management standards, processes, and practices (NIST SP 800-161).
• Risk Management Framework (RMF) requirements
• Risk management processes (e.g., methods for assessing and mitigating risk).
• Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.

Behavioral Skills

• Advanced active listening, attention to detail, customer service, prioritization, and problem-solving skills.
• Advanced in working independently and strategically.
• Adept expertise in identifying and analyzing risks and developing effective mitigation strategies.
• Advanced technical knowledge and a diverse skillset to understand various technologies, systems, and potential risks.
• Adept in critical thinking, problem-solving, and decision-making skills.
• Expert in interpersonal and verbal, and written communication skills, with the ability to effectively collaborate with both technical and non-technical peers.
• Advanced experience with managing multiple projects simultaneously and prioritizing tasks based on urgency and impact.
• Advanced hands-on experience with related tools.
• Advanced experience in working under pressure and meeting deadlines individually and collaboratively. Thinks logically, assesses problems, and is results oriented.
• Advanced in identifying complex business and technology risks and associated vulnerabilities.
• Advanced in communicating effectively, both orally and in writing, to interact with team members, customers, management, and support personnel (technical and non-technical).
• Advanced in establishing and maintaining effective working relationships with employees at all levels within the organization, and with both internal and external customers.

Competencies:

Collaborates, Advanced

Building partnerships and working collaboratively with others to meet shared objectives.

Cultivates Innovation, Adept

Creating new and better ways for the organization to be successful

Customer Focus Adept

Building strong customer relationships and delivering customer-centric solutions

Communicates Effectively

Expert in Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences.

Tech Savvy Advanced

Anticipating and adopting innovations in business-building digital and technology applications

Technical Skills, Advanced

Specialized knowledge and expertise on tools, programs, domains, platforms, and products used for specific tasks.

Values Diversity Advanced

Recognizing the value that different perspectives and cultures bring to an organization.

General:

• May need to work outside of normal work hours (i.e., evenings and weekends).
• Travel may be required to other MTA locations or other external sites.

Other Information:

Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the "Commission").

Equal Employment Opportunity

MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.

The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.