IT 43

Qualifications
To perform this job successfully, an individual must be able to perform each essential duty satisfactorily
Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions
Technical Degree Information/Cyber Security or Risk Management Or
Associate's Degree Information/Cyber Security or Risk Management Or
Bachelor's Degree Information/Cyber Security or Risk Management
Work Experience
3 - 5 years Direct Third-Party Risk Assessment Experience
3 - 5 years General IT Functional Experience
General Employee Knowledge, Skills, And Abilities
Ability to establish effective working relationships among team members and participate in solving problems and making decisions
Ability to present and express ideas and information clearly and concisely in a manner appropriate to the audience, whether oral or written
Ability to actively listen to what others are saying to achieve understanding, sharing information with others and facilitating the open exchange of ideas and information
Ability to establish courses of action for self to accomplish specific goals, develop and use tracking systems for monitoring own work progress, and effectively use resources such as time and information
Ability to make right decisions based on perceptive and analytical processes, practicing good judgment in gray areas
Assesses systems security requirements by studying business requirements; conducting system security and vulnerability analyses and risk assessments; studying architecture/platform
Knowledge of best practices for technology architecture and design
Ability to assess cybersecurity controls and technology configurations
Ability to build update and maintain a global policy governance framework
Experience and ability to build, manage and update SOX controls
Licenses and Certifications
Certification in Information Security such as Security +, CISSP, CISA, etc
Responsibilities
The Information Security/Privacy Third Party Risk Assessor is responsible for the assessment, verification, review, and audit of technology controls and/or business process controls related to third party relationships
The Assessor will be reviewing third-party Information Security and Privacy controls to ensure the vendors IT environment meets or exceeds Northwest's Information Security and Privacy expectations
The Assessor will oversee the resolution of any identified risks to ensure it is adequately mitigated prior to third-party contract signature
As business needs dictate, the assessor may be asked to assist with the annual Information Security Risk Assessment (GLBA), Authentication and Access Assessment, and annual PCI Audit
Execute third party risk assessments; facilitate remediation planning, exposure tracking and communicating risks in accordance with regulatory frameworks, e.g., FFIEC Handbook for Third Party Management and Enterprise Procurement processes
Provide technical expertise to support the Vendor Management Team with 3rd and 4th party supply-chain security and risk assessments, audits, tests, and verification activities, and when appropriate make recommendations to mitigate risks
Apply or recommend adaptive security requirements and/or measurements based on investigative findings and threat monitoring including performing security risk assessments prior to changes in the production environment occurring to ensure changes do not violate regulatory requirements
Assess systems of various scope and complexity to obtain, review, and interpret evidence provided to validate controls are performed effectively with a primary focus regulatory prescribed compliance when required
Interpret regulatory requirements into easy-to-understand language for constituents
Conduct and lead assessment interviews and tests to identify technology control gaps that introduce risk to the organization
Execute and assist management with IT audits and regulatory compliance requirements as needed
Buildout the development of third-party risk assessments, risk meditation, and performance reporting by partnering with the Enterprise Procurement Function
Participate as the liaison between Enterprise Risk and Information Technology/Information Security to improve the overall ability to identify third party risks, with a focus on continuous control monitoring and emerging third party cyber security threats
Continually update the Information Security/Privacy third party inherent risk and Control questionnaires as the third-party threat landscape evolves
Maintain third party risks metrics, KRIs, and KPIs
Ensure compliance with Northwest’s policies and procedures, and Federal/State regulations
Navigate Microsoft Office Software, computer applications, and software specific to the department in order to maximize technology tools and gain efficiency
Work as part of a team
Work with on-site equipment
Safety and Health for those without supervisory duties
Abide by the rules of the safety and loss prevention program
Perform work tasks in a safe manner
Report any and all injuries to supervisor
Know what to do in case of an emergency
Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures
Job description
Job Description

The Information Security/Privacy Third Party Risk Assessor is responsible for the assessment, verification, review, and audit of technology controls and/or business process controls related to third party relationships. The Assessor will be reviewing third-party Information Security and Privacy controls to ensure the vendors IT environment meets or exceeds Northwest's Information Security and Privacy expectations. The Assessor will oversee the resolution of any identified risks to ensure it is adequately mitigated prior to third-party contract signature. As business needs dictate, the assessor may be asked to assist with the annual Information Security Risk Assessment (GLBA), Authentication and Access Assessment, and annual PCI Audit.

Essential Functions
• Execute third party risk assessments; facilitate remediation planning, exposure tracking and communicating risks in accordance with regulatory frameworks, e.g., FFIEC Handbook for Third Party Management and Enterprise Procurement processes
• Provide technical expertise to support the Vendor Management Team with 3rd and 4th party supply-chain security and risk assessments, audits, tests, and verification activities, and when appropriate make recommendations to mitigate risks
• Apply or recommend adaptive security requirements and/or measurements based on investigative findings and threat monitoring including performing security risk assessments prior to changes in the production environment occurring to ensure changes do not violate regulatory requirements
• Assess systems of various scope and complexity to obtain, review, and interpret evidence provided to validate controls are performed effectively with a primary focus regulatory prescribed compliance when required. Interpret regulatory requirements into easy-to-understand language for constituents.
• Conduct and lead assessment interviews and tests to identify technology control gaps that introduce risk to the organization
• Execute and assist management with IT audits and regulatory compliance requirements as needed
• Buildout the development of third-party risk assessments, risk meditation, and performance reporting by partnering with the Enterprise Procurement Function
• Participate as the liaison between Enterprise Risk and Information Technology/Information Security to improve the overall ability to identify third party risks, with a focus on continuous control monitoring and emerging third party cyber security threats
• Continually update the Information Security/Privacy third party inherent risk and Control questionnaires as the third-party threat landscape evolves.
• Maintain third party risks metrics, KRIs, and KPIs

Additional Essential Functions
• Ensure compliance with Northwest’s policies and procedures, and Federal/State regulations
• Navigate Microsoft Office Software, computer applications, and software specific to the department in order to maximize technology tools and gain efficiency
• Work as part of a team
• Work with on-site equipment

Safety and Health for those without supervisory duties
• Abide by the rules of the safety and loss prevention program
• Perform work tasks in a safe manner
• Report any and all injuries to supervisor
• Know what to do in case of an emergency

Qualifications

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Education

Technical Degree Information/Cyber Security or Risk Management Or

Associate's Degree Information/Cyber Security or Risk Management Or

Bachelor's Degree Information/Cyber Security or Risk Management

Work Experience

3 - 5 years Direct Third-Party Risk Assessment Experience

3 - 5 years General IT Functional Experience

General Employee Knowledge, Skills, And Abilities
• Ability to establish effective working relationships among team members and participate in solving problems and making decisions
• Ability to present and express ideas and information clearly and concisely in a manner appropriate to the audience, whether oral or written
• Ability to actively listen to what others are saying to achieve understanding, sharing information with others and facilitating the open exchange of ideas and information
• Ability to establish courses of action for self to accomplish specific goals, develop and use tracking systems for monitoring own work progress, and effectively use resources such as time and information
• Ability to make right decisions based on perceptive and analytical processes, practicing good judgment in gray areas

Additional Knowledge, Skills And Abilities

Assesses systems security requirements by studying business requirements; conducting system security and vulnerability analyses and risk assessments; studying architecture/platform.

Perform risk assessments and execute tests of data processing system to ensure functioning of data processing activities and security measures.

Knowledge of security and audit topics such as FFIEC Guidelines, GLBA, PCI and HIPAA a plus.

Knowledge of best practices for technology architecture and design

Ability to assess cybersecurity controls and technology configurations

Ability to build update and maintain a global policy governance framework

Experience and ability to build, manage and update SOX controls

Licenses and Certifications

Certification in Information Security such as Security +, CISSP, CISA, etc.

CISA

Northwest is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.