ERC Senior Analyst

ERC Senior Analyst

Location: Richfield, MN (Hybrid Schedule)

Tell us about your department: Third Party Risk Management reviews the Information Security posture of all our Goods Not For Resale (GNFR) vendors. We review and compare our vendor questionnaire responses against our Vendor Privacy and Security Policy (contract addendum).

While Information Security is the bulk of our reviews, we also review other risk areas such as business resiliency, financial, ethics/legal/compliance, labor environment, and brand/reputation. We have cultivated subject matter experts within our group and external to our group for any issues we identify.

Any gaps between the contract and non-Information Security expectations of our vendors will be written up as findings, and we write up findings which must be remediated by the vendor. These findings must be socialized by us with the business owner, Procurement, and the vendor, so the analyst must be able to communicate across different audiences.

Our team works closely with our Information Security and other ERC (Enterprise Risk and Compliance) teams, Procurement and Legal Teams, and the business teams.

Project Description: This project is to supplement our Third Party Risk Management Team and to perform core duties of assessing new and existing GNFR vendors.

Position Summary/Job Description:

Education: Bachelors Degree (4 yr) or Equivalent Industry Experience

The Third Party Risk Senior Analyst, will manage and execute assessments to identify, manage, and communicate risk across the enterprise. This role will work with various teams within the Enterprise, including Privacy, Legal, IT, and Procurement to advise on third party risk topics that include information security, business resiliency, reputation, finance, ethics, compliance, and insurance. In addition, the Senior Analyst will support team processes, develop reporting/metrics, and ensure data integrity within Archer eGRC.

C. Key Responsibilities (Essential Functions) - List in order of importance

1) Conduct enterprise-wide third party risk assessments of external partners.

a. Execute, coordinate and support risk assessments to identify and prioritize risks.

b. Facilitate and analyze responses of Risk Profiles to ensure the appropriate level of risk is assigned to each third party service line.

c. Assess risks and prioritize based on existing, internally approved information risk ranking models.

d. Create, organize, and maintain reporting/metrics within Archer eGRC.

e. Conduct reassessments based on inherent risk schedule.

2) Advise partners regarding inherent and residual risk posed by third parties.

a. Effectively communicate roles and responsibilities pertaining to the assessment process and finding remediation with internal business teams and external vendors.

b. Assist in communications to business partners on impact, likelihood and severity of risks in driving risk remediation efforts.

c. Collaborate with various audiences, including Security Architecture, Application Security, IT, BC/DR, Legal, Procurement and others.

3) Maintain relationships with internal teams through clear, consistent communication.

a. Support team intake process to ensure appropriate responses and resources are communicated to enterprise partners regarding general questions, assessment requests and other inquiries as needed.

b. Serve as Business Resiliency risk liaison to understand finding requirements and relay learnings to the Third Party Risk team.

Skills Overview:
Minimum 2+ years of experience in the TPRM risk category Information Security
Familiarity with the Payment Card Industry Data Security Standard (PCI DSS), NIST Cyber Security Framework (CSF), and ISO 27000 series
2 years of experience performing risk assessments or audits
Strong interpersonal and communication skills with the ability to develop productive working relationships with technical and non-technical teams
Ability to work in a fast-paced environment within a team

What are some preferred/nice to have skills the manager is looking for?
CISSP, Security+, Network+, or SSCP certification
Experience in the TPRM risk categories Business Resiliency, Finance, Ethics/Compliance, or Insurance.
Experience with Archer GRC tool.
Ability to work with a start-up mentality inside of a large organization to provide security recommendations with the business strategy and goals in mind.