Information Security Third Party Risk Analyst

  • Competitive
  • Miami Lakes, FL, USA
  • Permanent, Full time
  • BankUnited, N.A.
  • 23 Feb 18 2018-02-23

Information Security Third Party Risk Analyst

SUMMARY: This position has primary responsibility for the execution of the Company's Information Security (IS) third party program. The program provides a service to the Office of the Chief Information Security Officer (CISO) and Line of Business (LOB) relationship managers with the goal of determining whether the third party entity has an acceptable information security program which aligns with BankUnited cyber risk appetite. The individual will play a significant role in enhancing and implementing procedures to assess and risk rate the third-party information security program. The candidate will contribute to the Bank's information security awareness program to ensure all employees and contractors know, understand and follow BankUnited security requirements and work in a secure manner. Other areas of focus include IS policy review and compliance, risk management, cyber security, information systems, designing and testing of IS controls, and IS project management.

ESSENTIAL DUTIES AND RESPONSIBILITIES include the following. Other duties and special projects may be assigned.

Information Security (IS) Third Party Program (65%)
* Act as a key member of BankUnited Information Security team second line of defense for third-party risk management oversight.
* Perform IS due diligence on third party vendors to determine the effectiveness of their controls to protect the Bank's data, identify any discrepancies and escalate all issues to management.
* Execute and document assessment activities following established processes and procedures.
* Perform third party on-site visits to assess their current information security posture and practices.
* Support the advancements towards establishing a centralized third-party risk framework.
* Participate in the BankUnited third-party onsite visit program and represent information security during vendor meetings.
* Provide guidance and assistance as needed by the LOB relationship manager for timely completion of third-party due diligence requirements.
* Keep abreast of regulatory and compliance related information to enhance the third-party due diligence program.
* Work with team members to update and create documents and presentations that can be used to inform internal employees, external auditors or regulators about the Bank's Information Security third party program.

Information Security (IS) Awareness (20%)
* Promote information security awareness to all employees and contractors.
* Asist in the development and maintenance of a security awareness program that effectively changes behaviors so our employees and contractors act in a secure manner that reduces risk to our organization.
* Facilitate the security awareness program communication of our security policies and requirements so that employees and contractors know, understand, and can follow them.
* Team up with IT, IS and business management to create innovative awareness and training materials, tools and processes (e.g., Web-based e-learning, email phishing campaigns, surveys, quizzes, events, brochures, messages, presentations and videos)
* Assist in the design and development of a positive program that engages employees over time.
* Participate in collaborative events across the Bank to present information security awareness material.
* Assist team members to develop metrics to measure the success of the security awareness program.

Information Security Governance (15%)
* Collaborate in the development of a comprehensive Governance, Risk and Compliance (GRC) program to ensure compliance with corporate security polices regulatory requirements and adherence to industry best practices.
* Contribute to the continuous improvements, including automation where possible, to all aspects of the Information Security program based on expert knowledge, industry best practices, business objectives and risk tolerance, keeping the program relevant and in alignment with the business objectives.
* Stay aware of emerging IT, information security and cybersecurity trends to help determine if/when to integrate them into the assessment program.
* Establishes strong partnerships with internal stakeholders to ensure effective planning and collaboration on vendor related matters.
* Assist in the preparation of periodic management committee reports as deemed appropriate.
* Maintains professional and technical knowledge by attending educational workshops, reviewing professional publications, establishing personal networks, benchmarking industry best practices, and participating in professional societies.
* Perform IS Compliance and Risk Assessment activities as required by management.

QUALIFICATIONS/COMPETENCIES:
* Understanding of information security (IS) concepts, IT, information security awareness and third-party risk management processes, methodologies, and practices.
* Proficient knowledge of third-party related regulatory policies.
* Experience working with internal and external auditors preferred.
* Experience working in the finance industry dealing with sensitive data preferred.
* Excellent verbal, written and interpersonal communication skills, including the ability to communicate effectively with different levels of staff and management.
* Strong people management and analytical skills.
* Ability to work independently on initiatives with little oversight or as part of a team. Motivated and willing to learn.
* Strong attention to detail, strong analytical skills/problem solving/conceptual thinking.
* Self-motivator, willingness to develop and present ideas and suggestions for the creation of new processes and or to improve existing processes.
* Ability to multi-task, performing multiple projects simultaneously.
* Working knowledge of Microsoft Word, Excel, PowerPoint, and Visio.

EDUCATION and/or EXPERIENCE
* Bachelor's degree or higher in Information Systems, or related field and or equivalent combination of work experience.
* At least four (4) years IS experience in 2 or more of the following areas: Internet security, application security, security design and implementation, third party IS due diligence, IS security awareness programs, recertification of user rights, IS/IT auditing, IS/IT policy development, risk assessments, federal regulatory compliance for information protection and information security architecture.
* Working knowledge with one 1 or more of the following frameworks: ISO, COBIT, NIST.
* Working knowledge of regulatory compliance initiatives related to Sarbanes Oxley, the Gramm--Leach--Bliley Act and FFIEC.
* Firm grasp of the design and implementation of effective IS controls.
* Ability to drive a project to completion with minimal oversight.

Certifications: CISA, CISM, CGEIT, CRISC, CISSP or related certifications a plus.