Senior IT Security Analyst

Candidate will be tasked with managing the responsibilities including but not limited to vendor risk assessment, working with both internal and external partners to manage all Third-party attestation projects for all divisions across WK. Candidate would be accountable in manage to resolution all findings and observations identified from the vendor assessments. Proactively work with internal Subject Matter Experts (SMEs) to maintain the adequacy of our vendor questionnaire to ensure they are aligned to the latest technologies and processes to assess the maturity of our vendors to WK’s compliance requirements.

Essential Duties and responsibilities

• Promote a positive, entrepreneurial, consulting and performance focused culture that works effectively with vendors as well as WK staff.
• Directly Support WK’s overall Third-Party Risk Management program though the execution of WK’s Information Technology TPRM assessment process. Create reports of assessment findings, score all assessments as PASS/FAIL and communicate assessment findings to WK Stakeholders.
• Proficiency in executing assessment process tasks such as – interviewing Vendor Representatives, reviewing Vendor responses to assessment questionnaires and examination of Vendor documentation such as – process documents, policies, audit reports and vulnerability scan reports.
• Solid understanding that Vendors vary based on the service they provide to WK and the WK resources they access; each vendor assessment is unique.
• Create and Maintain Executive management reports that depict current Third-Party Risk Management KPI’s.
• Meet with Vendors in person or via conference calls for Q&A sessions around their information security posture.
• Expertise in examining and validating various 3rd party assessment reports and certifications provided by Vendors that attest to their information security and control environment. Assessments may include SOC-2 reports, ISO 27001, FISMA, HIPPA.etc.

Other Duties

Performs other duties as assigned by supervisor.

.

Job Qualifications

Education: (Describe the minimum, relevant education required to perform the job.  Then list any additional preferred or desired education.)   Experience: (List the minimum, relevant amount of experience required to perform the job.  Then list any additional preferred or desired experience.  Include the phrase “or equivalent” at the end of the minimum requirements.

• Bachelor's degree in accounting, Computer Science, Risk Management, or equivalent years in experience
• Certifications required (two), preferred certifications: Certified Information Systems Auditor (CISA), Certified Risk Manager (CRM), Certified in Risk and Information System Controls (CRISC), Certified Information System Security Professional (CISSP), or equivalents. ISO 27001 Lead Auditor
• 5+ years of hands-on combined experience with financial and information technology internal controls design, test, audit, risk assessments, investigations, findings, and remediation.
• 4+ years of hands-on combined experience in performing vendor assessments, either as part of an internal team or acting as a contractor/consultant on behalf of their clients.
• 4+ years of audit experience with SOC1, SOC2, SOX 404 and healthcare regulatory compliance.
• Experience leading engagements, developing work programs/plans, building relationships, providing performance feedback while meeting stakeholder and client expectations.
• Good written, verbal and presentation skills; including interactions with key stakeholders, internal executive management and external executive management and senior leaders.
• Experienced working in remote environments.  Independent, motivated self-starter with the ability to analyze complex problems, think critically, problem solve, influence change, provide thought leadership. 
• Excellent interpersonal skills, including the ability to work across a highly matrixed organization, interacting, influencing, negotiating effectively with all levels of leadership and peers
• Experienced with vendor and managed security services with ability to identify continuous improvement opportunities to drive risk assessment effectiveness and efficiency.
• Ability to travel as needed.

Other Knowledge, Skills, Abilities or Certifications: (First list requirements, followed by preferences.) 

• Knowledgeable of computer networks, hardware, operating systems, and software including understanding IT General Controls (ITGC) testing concepts are preferred
• Knowledgeable of risk methodologies, design and test of controls, data analytics including metrics and measurements.