Federal Reserve Bank Third Party Risk Analyst in Boston, Massachusetts
The 3rd Party Risk Analyst will be part of a team responsible for assessing the information security practices and posture of new and existing 3rd parties for the Federal Reserve System.
Working as part of a team, the analyst will leverage various sources of data to assess the security program and associated practices of the Federal Reserve’s suppliers, highlight risks and control gaps associated with the supplier’s security program, categorize the potential risks based on severity, and identify potential mitigation strategies. The position is also responsible for translating the results of the analysis into business consumable format and delivering those results to business, legal, and procurement teams to guide risk decisions.
Additionally, the analyst will be responsible for identifying and tracking continuous monitoring activities to ensure the risks associated with active suppliers has not changed or exceeded risk tolerance thresholds.
The Analyst will also participate in cross-functional teams to address information security policy/risk or compliance issues. Analyst is expected to determine best practices, suggest how to improve current practices, and monitor those practices.
Key Responsibilities (include but are not limited to the following):
• Conducts information security assessments of suppliers (third party vendors and cloud services) including advising management on how to mitigate any identified risks
• Support the evolution and continuous improvement of vendor risk assessment processes including the development and maintenance of procedures, artifacts, and metrics to be used in the assessment of suppliers
• Keeps abreast of the latest security, privacy, and regulatory concerns and best practices impacting third party risk management
• Advises business on any changes requested by third parties to security and privacy provisions of our contracts
• Performs third party compliance risk tracking, trending, analysis, and executive reporting
• Responsible for information security preparedness, policies, practices, and identifying and mitigating information security risks resulting from third party applications, systems, and infrastructure
• Advises procurement and project teams on vendor assessment requirements and performs vendor risk assessments for new vendors or services
• Analyzes, designs, and implements business processes and requirements to ensure compliance with security policies and procedures
• Delivers support for the Security Assurance for the Federal Reserve (SAFR) program based on NIST controls
• Provides consultation and facilitation support services to Bank in information security matters, compliance with the security policy, privacy, and other control mechanisms used by the Bank
• Performs complex analysis of major business issues and proactively searches for and recommends sustainable solutions utilizing established methodology and tools within information security areas
• Leads process improvement and solution discussions and presents outcomes in written and verbal format to senior management within information security areas
• Participates in cross-functional team initiatives and projects
Education and Experience:
• Bachelor’s Degree in Computer Science, Information Systems, or other related field, or equivalent combination of work experience and education
• 3 to 5 years of relevant work experience (ex. information security, risk management and compliance)
• Industry recognized certifications within the domains of information security and privacy (e.g., CISSP, GIAC, CISM, CISA, CIPP, CTPRP, CCSP, etc.) considered a plus and recognized as an indication of work experience
Knowledge and Skills:
• Detailed knowledge applying risk management frameworks such as NIST, FISMA, or ISO 27000
• Subject matter expertise in SSAE 16, SOC 2, Shared Assessments, FedRAMP, and other vender risk assessment methodologies
• Comprehensive knowledge of third party lifecycle management and vendor risk management methodologies, including associated regulatory and industry guidance
• Broad knowledge of information security and privacy fundamentals
• Excellent oral and written communication, ability to convey technical and security related concepts to people at all levels of the organization
• Working knowledge of Governance, Risk, and Compliance (GRC) and IT Vendor Risk Management tools
• Proficient in the design and implementation of effective information security controls
• Ability to create new processes to improve security and compliance with minimal oversight
• Strong organizational and prioritization skills to handle multiple priorities
• Advanced analytical , problem solving, design, and implementation skills to facilitate resolution of technical compliance issues and support maintenance of an effective controls environment
• Ability to work with diverse workgroups on information security risk assessments, exceptions and remediation
• Acute attention to detail with a high level of data integrity and accuracy
• Broad knowledge of the principles of data collection and analysis, business requirements, process improvement criteria, and performance metrics review techniques
• Excellent computer skills including Microsoft Office along with various other online applications, as needed for the role
/The Federal Reserve Bank of Boston is committed to a diverse and inclusive workplace and to provide equal employment opportunities to all persons without regard to race, color, religion, national origin, sex, sexual orientation, gender identity, age, genetic information, disability, or military service.
All employees assigned to this position will be subject to FBI fingerprint/ criminal background and Patriot Act/ Office of Foreign Assets Control (OFAC) watch list checks at least once every five years.
The above statements are intended to describe the general nature, level of work and the requirements of this position. They are not intended to be an exhaustive list of all duties and responsibilities associated with this position or the personnel so classified. While this job description is intended to be an accurate reflection of this position, management reserves the right to revise this or any job description at its discretion at any time./
Organization: *Federal Reserve Bank of Boston
Title: Third Party Risk Analyst
Requisition ID: 267300