The Global Information Security Vendor Assurance program is charged with assesment, communication,and ongoing monitoring of information security risk associated with the Firm's use of vendors in the provision of IT related products and services.
Our program focuses on assessment of vendor risk compared to Firm security controls, industry standards, regulations and laws, and EY business practices.
The Information Security Vendor Assurance Analyst participates in and conducts inherent risk assessments, vendor research, reporting, data analytics, vendor and project team follow up, report and metrics generation, documentation, and other required tasks associated with the execution of the Vendor Assurance mission.
The role is accountable to Vendor Assurance leadership and to our customers and maintains a relationship with our supporting stakeholders.
It is expected that after a training period the person in the role will take on analysis of less complex and lower risk transactions and execution of reporting and other technical tasks.
The role will help maintain our information systems and actively participate in data cleansing and maintenance activities.
This role functions as an important contributor within a highly collaborative team environment. Day to day direction will be taken from the Senior Vendor Assurance Analyst (Associate Director)
contract and post-contract vendor assessment activities.These include :
oParticipate in vendor risk assessments by :
Determining the appropriate level of risk assessment activity based on inherent vendor risk utilizing the Archer Vendor Assurance platform and system recommended ratings.
Gathering information on the vendor’s overall security risk posture, program, facilities, services and solutions and assessing these against EY vendor security and data privacy requirements
Reviewing vendor security plans, policies and standards
Reviewing vendor provided artifacts including independent attestations, certifications, and penetration test reports
Conducting on-site security controls assessments, periodic re-assessments, and verifications
Monitor vendor compliance with respect to committed finding remediation and ongoing risk assessment obligations.
Analytical / Decision Making Responsibilities :
The role requires an advanced degree of analytical acumen to probe for identification and understanding of potential information security risk represented by vendor transactions.
Ability to flex with customer requirements while maintaining the integrity of the risk assessment process.Ability to discern when take action or to escalate to more senior members of the the team is critical.
Ability to learn quickly and maintain a positive trajectory of learning in a highly complex vendor ecosystem made up of numerous rules, regulations, laws, Firm mandates, complex relationships and technology is critical to success in this role. Skills
Capability to identify those issues that need to be escalated to more senior members of the Vendor Assurance team.
Good knowledge and skills with Microsoft Office and Sharepoint.
Experience and skills in Information Security technical areas.
Experience with and skills in IT Risk analysis.
Supervision Responsibilities :
The role is generally an individual contributor managed by the Vendor Assurance Team Lead. The role will not require supervision of others.
Other Requirements :
The role may also require the periodic allocation of additional time on the job during usual working hours to ensure multiple demands in an efficient and timely manner.
Bachelor's degree in a technical discipline such as Engineering or Computer Science or equivalent work experience in IT and specifically Global Operations
Certification Requirements :
None of note but recommended certifications can include :