EY Information Security Vendor Assurance Analyst in Argentina
Information Security Vendor Assurance Analyst
Core Business Services
Requisition # ARG001EX
Post Date Apr 04, 2018
The Global Information Security Vendor Assurance program is charged with assesment, communication, and ongoing monitoring of information security risk associated with the Firm's use of vendors in the provision of IT related products and services. Our program focuses on assessment of vendor risk compared to Firm security controls, industry standards, regulations and laws, and EY business practices.
The Information Security Vendor Assurance Analyst participates in and conducts inherent risk assessments, vendor research, reporting, data analytics, vendor and project team follow up, report and metrics generation, documentation, and other required tasks associated with the execution of the Vendor Assurance mission. The role is accountable to Vendor Assurance leadership and to our customers and maintains a relationship with our supporting stakeholders. It is expected that after a training period the person in the role will take on analysis of less complex and lower risk transactions and execution of reporting and other technical tasks. The role will help maintain our information systems and actively participate in data cleansing and maintenance activities. This role functions as an important contributor within a highly collaborative team environment. Day to day direction will be taken from the Senior Vendor Assurance Analyst (Associate Director)
• Collaborate with engagement teams, internal IT, procurement, legal, and other functions to efficiently and effectively execute both pre-contract and post-contract vendor assessment activities. These include:
o Participate in vendor risk assessments by:
Determining the appropriate level of risk assessment activity based on inherent vendor risk utilizing the Archer Vendor Assurance platform and system recommended ratings.
Gathering information on the vendor’s overall security risk posture, program, facilities, services and solutions and assessing these against EY vendor security and data privacy requirements
Reviewing vendor security plans, policies and standards
Reviewing vendor provided artifacts including independent attestations, certifications, and penetration test reports
Conducting on-site security controls assessments, periodic re-assessments, and verifications
Monitor vendor compliance with respect to committed finding remediation and ongoing risk assessment obligations.
Analytical/Decision Making Responsibilities:
The role requires an advanced degree of analytical acumen to probe for identification and understanding of potential information security risk represented by vendor transactions. Ability to flex with customer requirements while maintaining the integrity of the risk assessment process. Ability to discern when take action or to escalate to more senior members of the the team is critical. Ability to learn quickly and maintain a positive trajectory of learning in a highly complex vendor ecosystem made up of numerous rules, regulations, laws, Firm mandates, complex relationships and technology is critical to success in this role.
• Advanced analytical abilities to conduct effective risk analysis to ascertain key issues and variances from EY Firm security Controls. Capability to identify those issues that need to be escalated to more senior members of the Vendor Assurance team.
• Ability to manage and deliver on multiple and shifting priorities to provide high quality, timely, and effective service to our customers.
• Advanced interpersonal skills to engage and collaborate with multiple internal stakeholders within a matrixed, geographically dispersed organization.
• Advanced communication skills, both oral and written in the English language, to summarize key issues and findings, to formulate supportive ideas and materials as well as present complex findings and ideas clearly and concisely to a variety of levels of the organization including senior management.
• Advanced knowledge of Information Security controls such as ISO27001 (2), NIST, or GDPR.
• Advanced skills in Microsoft Excel is mandatory and part of documentation and analysis requirements.
• Advanced working knowledge of data analytic methods and tools, including but not limited to Spotfire, and Microsoft Excel. Good knowledge and skills with Microsoft Office and Sharepoint.
Experience and skills in Information Security technical areas.
Experience with and skills in IT Risk analysis.
The role is generally an individual contributor managed by the Vendor Assurance Team Lead. The role will not require supervision of others.
The role may also require the periodic allocation of additional time on the job during usual working hours to ensure multiple demands in an efficient and timely manner.
Bachelor's degree in a technical discipline such as Engineering or Computer Science or equivalent work experience in IT and specifically Global Operations
• Approximately 4 to 5 years of information security or IT risk management desired
• Advanced skill level in Microsoft Excel highly desired
• Medium to advanced skill level in Spotfire or similar product for reporting is highly desired
None of note but recommended certifications can include:
• Certified Information Systems Security Professional (CISSP)
• Global Security Essentials Certification (GSEC)