Application Security Analyst

Location: New York, NY or Jersey City, NJ (Hybrid)

Duration: 1 year

Position Statement

The Information Security Third Party Risk Management (TPRM) & Application Security Analyst is responsible for managing Americas Information Security TPRM and Application Security Risk assessments. The position requires a solid knowledge of regulations (e.g., NY DFS, FFIEC) and best security practices (e.g., NIST, ISO) applicable to the financial industry and InfoSec topics including cloud security.

Essential Job Functions

• Perform TPRM risk assessments and liaise with vendors to evaluate security posture using industry standards (ISO, NIST etc) and analyze appropriate evidence (e.g. SOC 2 reports) to be assured of controls.
• Perform in depth technical reviews from an application security perspective, typically involving Cloud Providers using a standard methodology such as OWASP.
• Assembly, monitoring, and reporting on vendor security metrics to ensure transparency, compliance, and steering of the perimeter.

Key operational controls:

• Evaluate vendor compliance with cloud security standards
• Perform Information Security risk assessments for new vendors and critical vendors
• Interpret, identify, and mitigate critical risks factors in a timely matter
• Maintain and monitor due diligence tasks for third-party vendors
• Review vendor due diligence materials (i.e., SSAE 18 reports), identify potential issues, and follow up for unresolved issues
• Track measure, report, and evaluate vendor performance
• Perform information risk assessments for new vendors and critical vendors
• Interpret, identify, and mitigate critical risks factors in a timely manner
• Assist Department Heads and Managers with vendor selection process through information security risk review, completion of due diligence tasks and risk assessments
• Troubleshoot vendor problems and present to management as required
• Provide status reports to senior management, auditors, and regulators
• Research on industry/regulatory and cyber security issues
• Up to date and continuing education of compliance related issues and value-added training
• Perform ad hoc analyses and participate in special projects as needed by management

Knowledge and Experience

• 5 years demonstrable experience in Information Security Vendor Risk Management experience with at least 5 years of management experience ideally with a remote / offshore team
• Proficient with and at least one GRC tool (highly recommended)
• Solid understanding of common security tools (e.g., vulnerability scanners, firewalls, IDS/IPS, AV software) preferred
• Requires strong analytical skills, problem solving skills, and project/program management skills
• Solid training in computer disciplines such as application and data security, cloud security, computer technology or software disciplines
• Demonstrated ability to perform Vendor Risk assessments through on-site visits and reviewing SSAE18s
• Ability to commit to deliver tasks in a timely and effective manner
• Ability to take responsibility for all actions performed on an individual basis
• Proven ability to manage issues through to resolution
• Solid understanding of the banking industry s regulatory requirements for the managing of third parties (e.g., FFIEC)