Ekman Associates, Inc. is a Southern California based company focused on the following services: Management Consulting, Professional Staffing Solutions and Executive Recruiting.
The Sr. Analyst, Third Party Risk Management role is responsible for supporting the Third Party Risk Management program by conducting domestic and global third party risk assessments. Daily activities will include coordinating intake of new vendors and new engagements, vendor security reviews, interacting with internal and external stakeholders, reporting on assessment outcomes and tracking remediation efforts.
- Strong Analytical and Communication Skills
- Ability to perform policy and standard gap analyses based on leading security frameworks
- Ability to write and ratify NIST and ISO based security policies
- Knowledge of policy taxonomies and hierarchies
- Develop and conduct Risk Assessments using leading frameworks; i.e., ISO, NIST, etc.
- Follow-up with business as needed for clarification on the risk tier
- Apply methodology to determine risk tier
- Review business and technical assessments questionnaires and evidence. Schedule and conduct review calls with vendors: ensure and track questionnaires sent to vendors, track and report on abandoned vendors, receive and review questionnaires responses and evidence, hold review calls, finalize report
- Coordinate other due diligence that need to be done in addition to security questionnaire when needed
- Develop corrective action plans and monitor third party remediation efforts
- Document and communicate findings and observations to internal and external stakeholders
- Track open issues and related remediation execution (programmatic)
- Utilize a GRC tool as the central repository for risk and control information.
- Collaborate with internal stakeholders to develop continued program process improvements
- Report on assessment outcomes, risk levels, and remediation progress
- Continuously raise awareness on the program through training, info-sessions and interactions with business stakeholders, security teams, legal, etc.
- Bachelor’s degree with a major in business or management information system or relevant experience
- Preferred certifications: CISSP, CISA, CIPP, CRISC, CEH, and/or CISM
- In depth knowledge of Third Party Risk Management
- Performing IT risk assessments against OWASP, PCI, GLBA, NIST, ISO, SIG/AUP or other standards
- Collecting, analyzing, and interpreting qualitative and quantitative data from multiple sources to analyze findings in the context of the overall third party risk.
- Demonstrated ability to prepare management level reporting and effectively communicate observations across all levels of the organization
- Strong knowledge base in information security, risk management, privacy, operations, enterprise networking, systems evaluation, and architecture
- Demonstrated experience in the areas of risks and controls across various IT platforms
- Strong analytic skills for problem analysis and resolution
- Advanced MS-Office skills including Excel and PowerPoint
- Ability to communicate complex technology risk assessment information to non-technical business stakeholders to ensure they comprehend the risk being assigned to them
- Ability to discern business relevant risk associated with technology control deficiencies, and to identify the corresponding remediation which is required to mitigate the business impact
- Deep understanding and knowledge of security, risk and privacy regulatory frameworks such as NIST, SOX, PCI, HIPAA, ISO, Safe Harbor, CSA, etc.
- This individual requires strong written, verbal communication and organizational skills as they will be working on multiple projects with technology stakeholders across the organization
- Self-starter who can function independently with limited direction
- Experience in managing Third Party Risk with a large volume of vendors globally
- Experience in the development, implementation, and/or maintenance of a global enterprise IT and security risk and control framework
- Ability to understand the “big picture” by aligning activities to business objectives and partnering with other IT GRC functions to align on strategies and enterprise priorities
- Ability to prioritize activities based on business criticality, audits, threats, vulnerabilities, and regulatory requirements
- Experience creating a risk-aware culture
- Experience with IT GRC platforms, including the ability to drive maturity and enhancements to the platform, tools, and methodologies
Qualified Candidates Only: If you wish to learn more about this opportunity and additional qualifications/responsibilities, please submit your resume. To learn more about Ekman Associates, Inc. please visit our website at www.ekmanassociates.com.