Overview
On Site
USD 156,476.00 - 184,692.00 per year
Full Time
Skills
C
Information Technology
Project Management
Performance Management
Preventive Maintenance
Telecommuting
Network
SAFE
Documentation
Continuous Monitoring
Policies and Procedures
Risk Assessment
Inventory
Procurement
Legal
Internal Control
Process Improvement
Mentorship
Invoices
Information Assurance
Information Security
CISM
Information Systems
ISO/IEC 27001:2005
Software Development Methodology
OSCP
Security+
Nexus
GCIH
GSEC
Regulatory Compliance
IT Risk Management
Auditing
Vendor Management
CISA
CISSP
ISACA
ITIL
COBIT
System On A Chip
ISO 9000
Payment Card Industry
SAP GRC
IT Security
Reporting
Critical Thinking
Decision-making
Collaboration
Management
Supply Chain Management
NIST SP 800 Series
Risk Management Framework
RMF
Risk Management
Cyber Security
Privacy
Soft Skills
Active Listening
Attention To Detail
Customer Service
Conflict Resolution
Problem Solving
Communication
Partnership
Innovation
Customer Focus
Customer Relationship Management (CRM)
MBA
Law
Finance
FDS
MTA
Military
Job Details
Description
JOB TITLE: Principal Cybersecurity 3rd Party Risk Management (C)
SALARY RANGE: $156,476 - $184,692
HAY POINTS: 775
DEPT/DIV: Information Technology / Cybersecurity
SUPERVISOR: Cybersecurity Officer- Manager
LOCATION: Vario2 Broadway New York, NY 10004
HOURS OF WORK: 9:00 am - 5:30 pm (7.5 hours/day) or as required)
This position is eligible for telework which is currently two days per week. New hires are eligible to apply 30 days after their effective date of hire.
The Metropolitan Transportation Authority is North America's largest transportation network, serving a population of 15.3 million people across a 5,000-square-mile travel area surrounding New York City, Long Island, southeastern New York State, and Connecticut. The MTA network comprises the nation's largest bus fleet and more subway and commuter rail cars than all other U.S. transit systems combined. MTA strives to provide a safe and reliable commute, excellent customer service, and rewarding opportunities.
About Us
Summary:
The role will manage vendor risks and assessments to anticipate, identify, monitor and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed and mitigated to acceptable levels.
This role must ensure that the organization's vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business.
Responsibilities:
Qualifications:
Relevant Certifications
Certification in Risk Management Assurance (CRMA)
ISC2 Certified in Cybersecurity
Certified Information Systems Auditor (CISA)
Global Information Assurance Certification (GIAC)
Certified Third-Party Risk Professional (CTPRP)
Certified Compliance & Ethics Professional (CCEP)
Certified Information Systems Security Professional (CISSP)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Privacy Professional (CIPP)
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
ISO 27001 Lead Auditor
Certified Secure Software Lifecycle Professional (CSSLP)
Offensive Security Certified Professional (OSCP)
CompTIA Security+ Certification
Cybersecurity Nexus (CSX) Practitioner
GIAC Certified Incident Handler (GCIH)
GIAC Security Essentials (GSEC)
ISC2 Certified Governance, Risk and Compliance (CGRC)
Technical Skills:
Soft Skills:
Competencies:
Core Competency
Proficiency Level
Competency Definition
Collaborates
Expert
Building partnerships and working collaboratively with others to meet shared objectives
Cultivates Innovation
Advanced
Creating new and better ways for the organization to be successful
Customer Focus
Advanced
Building strong customer relationships and delivering customer-centric solutions
Communicates Effectively
Expert
Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences
Tech Savvy
Expert
Anticipating and adopting innovations in business-building digital
and technology applications
Technical Skills
Expert
Specialized knowledge and expertise on tools, programs, domains, platforms, and products used for specific tasks
Values Diversity
Expert
Recognizing the value that different perspectives and cultures bring to an organization
Desired, but not required:
OTHER INFORMATION:
Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the "Commission").
Equal Employment Opportunity
MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.
The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.
JOB TITLE: Principal Cybersecurity 3rd Party Risk Management (C)
SALARY RANGE: $156,476 - $184,692
HAY POINTS: 775
DEPT/DIV: Information Technology / Cybersecurity
SUPERVISOR: Cybersecurity Officer- Manager
LOCATION: Vario2 Broadway New York, NY 10004
HOURS OF WORK: 9:00 am - 5:30 pm (7.5 hours/day) or as required)
This position is eligible for telework which is currently two days per week. New hires are eligible to apply 30 days after their effective date of hire.
The Metropolitan Transportation Authority is North America's largest transportation network, serving a population of 15.3 million people across a 5,000-square-mile travel area surrounding New York City, Long Island, southeastern New York State, and Connecticut. The MTA network comprises the nation's largest bus fleet and more subway and commuter rail cars than all other U.S. transit systems combined. MTA strives to provide a safe and reliable commute, excellent customer service, and rewarding opportunities.
About Us
Summary:
The role will manage vendor risks and assessments to anticipate, identify, monitor and mitigate risks associated with third-party providers of goods or services. In addition, this role is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed and mitigated to acceptable levels.
This role must ensure that the organization's vendor ecosystem is properly evaluated, assessed and managed to minimize risk exposure and risk impacts to the business.
Responsibilities:
- Assessing the information security posture of third parties (service providers, business partners, and Third-Party Administrators (TPAs)) and coordinating the overall execution and delivery of assessments and related remediation of any findings
- Identifying and tracking continuous monitoring activities to ensure the risks associated with individual third parties have not changed or exceeded risk tolerance thresholds, and where it has exceeded approved thresholds, agree remediation plans with the counterparty
- Participate in cross-functional teams to promote information security polices and best practices and address third-party security compliance issues
- Develop and implement cybersecurity policies and procedures to protect information assets
- Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks, such as NIST, ISO, and CSA
- Develop and maintain a comprehensive inventory of third-party vendors and suppliers, and track their cybersecurity risk profiles
- Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions
- Coordinate, plan and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls
- Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any concerns to management
- Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks
- Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third party risk management
- Continuously monitor information security and privacy regulation changes, Design and implement process improvements to ensure organizational adaptation of those changes and compliance
- Perform IT Security assurance/compliance reviews as appropriate
- Identify enhancements and process efficiencies to keep assessment program in line best practices
- May mentor less experienced staff
- Performs other duties and tasks as assigned
- May need to work outside of normal work hours (i.e., evenings and weekends)
- Travel may be required to other MTA locations or other external sites
- Observing the work performed by the contractor
- Reviews invoices and approve them if the work had contractual standards
- Addressing performance issues with the contractor when possible
- Escalating issues to other parties as needed.
Qualifications:
- Education: Bachelor's Degree
- Experience: At least 10 years of relevant experience. An equivalent combination of education and experience may be considered in lieu of a degree.
- Certification(s): Must possess at least two of the following professional certifications in subject domain including but not limited to:
Relevant Certifications
Certification in Risk Management Assurance (CRMA)
ISC2 Certified in Cybersecurity
Certified Information Systems Auditor (CISA)
Global Information Assurance Certification (GIAC)
Certified Third-Party Risk Professional (CTPRP)
Certified Compliance & Ethics Professional (CCEP)
Certified Information Systems Security Professional (CISSP)
Certified in Risk and Information Systems Control (CRISC)
Certified Information Privacy Professional (CIPP)
Certified Information Security Manager (CISM)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security Professional (CISSP)
ISO 27001 Lead Auditor
Certified Secure Software Lifecycle Professional (CSSLP)
Offensive Security Certified Professional (OSCP)
CompTIA Security+ Certification
Cybersecurity Nexus (CSX) Practitioner
GIAC Certified Incident Handler (GCIH)
GIAC Security Essentials (GSEC)
ISC2 Certified Governance, Risk and Compliance (CGRC)
Technical Skills:
- Expert/Highly Proficient, experience with implementation and maturing of Cyber frameworks, MITRE ATTACK Framework, etc.
- Strong background and understanding of all cybersecurity domains.
- Expert/Highly Proficient, experience in IT risk management or audit
- Expert/Highly Proficient, Experience working with third party risk and vendor management
- One or more of the following certifications are highly desired: CRISC, CISA, CISSP, CRISC or other related certification(s) a plus
- Comprehensive understanding of cybersecurity principles, frameworks, and regulations (e.g., ITIL, NIST, MITRE, COBIT, COSO, HITRUST, SOC reports, CSF, ISO, GDPR, PCI)
- Extensive hands-on experience with GRC tools.
- Solid working knowledge of IT security and infrastructure.
- Ability to develop a rapport with all employees to cultivate an environment conducive to reporting possible policy violations/risks. Ability to competently follow through on investigating such potential violations.
- Proven ability to assess third party risk programs, evaluate organizational needs and implement required changes
- Ability to work independently and strategically
- Demonstrated expertise in identifying and analyzing risks and developing effective mitigation strategies.
- Strong technical knowledge and diverse skillset to understand various technologies, systems, and potential risks.
- Excellent critical thinking, problem-solving, and decision-making skills.
- Strong interpersonal and communication skills, with the ability to effectively collaborate with both technical and non-technical peers.
- Proven ability to manage multiple projects simultaneously and prioritize tasks based on urgency and impact.
- Supply Chain Risk Management standards, processes, and practices (NIST SP 800-161).
- Risk Management Framework (RMF) requirements
- Risk management processes (e.g., methods for assessing and mitigating risk).
- Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
Soft Skills:
- Active Listening, Attention to Detail, Customer Service,
- Prioritization, Problem Solving, Effective Verbal and Written Communication
Competencies:
Core Competency
Proficiency Level
Competency Definition
Collaborates
Expert
Building partnerships and working collaboratively with others to meet shared objectives
Cultivates Innovation
Advanced
Creating new and better ways for the organization to be successful
Customer Focus
Advanced
Building strong customer relationships and delivering customer-centric solutions
Communicates Effectively
Expert
Developing and delivering multi-mode communications that convey a clear understanding of the unique needs of different audiences
Tech Savvy
Expert
Anticipating and adopting innovations in business-building digital
and technology applications
Technical Skills
Expert
Specialized knowledge and expertise on tools, programs, domains, platforms, and products used for specific tasks
Values Diversity
Expert
Recognizing the value that different perspectives and cultures bring to an organization
Desired, but not required:
- MBA or other advanced degree
OTHER INFORMATION:
Pursuant to the New York State Public Officers Law & the MTA Code of Ethics, all employees who hold a policymaking position must file an Annual Statement of Financial Disclosure (FDS) with the NYS Commission on Ethics and Lobbying in Government (the "Commission").
Equal Employment Opportunity
MTA and its subsidiary and affiliated agencies are Equal Opportunity Employers, including with respect to veteran status and individuals with disabilities.
The MTA encourages qualified applicants from diverse backgrounds, experiences, and abilities, including military service members, to apply.
Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.