Third Party Risk Analyst

Overview:

Leverages professional knowledge, skills, and experience to assess and evaluate the effectiveness of third-party vendor cybersecurity programs. Employs a risk-based approach to ensure appropriate security principles and controls are applied, discover gaps, propose and/or approve remediation, and communicate residual risk to business units and senior management.

Primary Responsibilities:

• Understand information security program best practices to ensure protection of the confidentiality, integrity, and availability of customer and corporate data is in line with M&T Bank's enterprise risk appetite.
• Review and ensure third-party service risk assessment scores accurately reflect the inherent risk of the service to M&T Bank
• Complete required service and application cybersecurity due diligence documentation within established SLAs (Service Level Agreements), ensuring alignment with all applicable laws, regulations, bank policies and standards, as well as industry best practices in accordance with M&T Bank's risk appetite. Raise risk-related issues to management as required.
• Engage with Technology teams to identify security risks of proposed third party environments and recommend potential system/application modifications.
• Understand and adhere to M&T Bank's risk and regulatory standards, policies and controls in accordance with M&T Bank's risk appetite. Identify risk-related issues requiring escalation to management
• Present technical information to technical and non-technical audiences to ensure the business lines understand program assessment results. Present recommendations to various levels within the organization including senior management.
• Remain current with industry trends and security threats to advise management on how to mitigate and contain risks to the business. Prepare and deliver management level presentations to communicate trends and threats.
• Maintain M&T internal control standards, including timely implementation of internal and external audit points together with any issues raised by external regulators as applicable.
• Promote an environment that supports diversity and reflects the M&T Bank brand.
• Complete other related duties as assigned.

Scope of Responsibilities:

• Up to 25% annual travel commitment

Education and Experience Required:

• Associate's degree and a minimum of 2 years' relevant work experience, or in lieu of a degree, a combined minimum of 4 years' higher education and/or work experience, including a minimum of 2 years' relevant work experience
• Knowledge of cybersecurity principles and industry best practices (relevant to confidentiality, integrity, availability)
• Skill in evaluating security controls based on confidentiality, integrity and availability requirements of systems
• Experience with handling multiple projects
• Experience meeting strict deadlines

Education and Experience Preferred:

• Bachelor's degree

• Previous focused experience with NIST 800-53 framework
• Active Security+, CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CRISC (Certified in Risk and Information Systems Control) certification or other cybersecurity domain-related industry-recognized certification
• Knowledge of organization's risk tolerance and/or risk management approach
• Working knowledge of project management methodology
• Proven knowledge of information technology security principles and implementation method (e.g., firewalls, demilitarized zones, cloud network security design, encryption, role-based access control, perimeter security, application security, Active Directory / LDAP, SAML)
• Knowledge of Cybersecurity threats and emerging security issues
• Experience in conducting security control testing of systems

#cybersecurity #CISSP #Security+ #CRISC #CISA #CISM

Location
Buffalo, New York, United States of America