GDS Advisory - Third Party Risk Management Manager (non-FS)
Ernst & Young AG
Taguig City, Philippines
13d ago

Third Party Risk Management Manager will be responsible for leading a team of information security assessors.


  • Lead and manage the delivery of third party risk management engagements, such engagements involve performing a security assessment of a client’s third party service providers. This involves
  • o Performing security assessments of new and existing service providers

    o Performing vendor assessment reviews leveraging a SIG Lite or Full SIG

    o Verifying that all required SIG (Lite) questions have been answered by vendor and all required documentation has been received

    o Assessing vendor answers and follow up with vendor directly for questions

    o Conducting a risk analysis and assessment of vendor information and documentation against a client’s IT security and data privacy requirements

    o Identifying whether additional information should be obtained from the vendor

    o Defining appropriate risk levels and corrective actions

    o Identifying issues and work with vendor to resolve / accept

    o Following up on corrective action plans

    o Maintaining issues / items tracker and status updates for each vendor review.

    o Provide risk acceptance and / or risk remediation recommendations

  • Managing the delivery of the engagement against the engagement budget, timeline, and scope
  • Performing quality assurance reviews
  • Provide coaching and guidance to the assessment team members
  • Qualifications

  • Minimum 7 years of experience in cyber security or third party risk management
  • Experience executing vendor security reviews required
  • Experience conducting third party reviews using SIG preferred
  • Use of risk assessment tools and techniques
  • Knowledge of various assessment types (e.g., self-assessments, audits, vulnerability assessments, penetration tests, third-party assurance)
  • Understanding of key industry control frameworks (NIST Cyber Security Framework, COSO, COBIT, ISO 27000, Unified Compliance Framework, etc.)
  • Understanding of Information Security policies and standards
  • High level knowledge and understanding of systems architecture, infrastructure, security and applications
  • Strong analytical capabilities
  • Excellent communications skills
  • Ability to communicate complex Information Security Risk assessment information to non-technical business leaders to ensure they comprehend the risk being assigned to them.
  • Able to effectively communicate evaluation of risk remediation plans to action plan owners to ensure that mitigation activities are appropriately addressed
  • BS in Information Assurance, or other Risk Management practice desired
  • Comprehensive knowledge on business processes and their relationship to technology desirable
  • Experience in working for a large Fortune 100 organization desired
  • CISSP, CISM, CRISC, CISA, or CTTRP. desirable
  • Apply
    My Email
    By clicking on "Continue", I give neuvoo consent to process my data and to send me email alerts, as detailed in neuvoo's Privacy Policy . I may withdraw my consent or unsubscribe at any time.
    Application form