NIS Third Party Risk Sr. Manager
- Experience 5-10 Years
- Category IT
- Location Atlanta, GA Los Angeles, CA Tampa, FL
PwC is a network of firms committed to delivering quality in assurance, tax and advisory services.
We help resolve complex issues for our clients and identify opportunities. Learn more about us at www.pwc.com/us.
At PwC, we develop leaders at all levels. The distinctive leadership framework we call the PwC Professional (http://pwc.to/pwcpro) provides our people with a road map to grow their skills and build their careers. Our approach to ongoing development shapes employees into leaders, no matter the role or job title.
Are you ready to build a career in a rapidly changing world? Developing as a PwC Professional means that you will be ready
- to create and capture opportunities to advance your career and fulfill your potential. To learn more, visit us at www.pwc.com/careers.
It takes talented people to support the US firm of the largest professional services organization in the world. Not all of us work directly with external clients. Some of our best people choose to apply their talents inside PwC.
As part of Internal Firm Services, you're serving an organization on par with many of our external clients. Our Internal Firm Services team consists of first-rate marketers, human resource professionals, computer technologists, knowledge managers, accountants, financial planners, administrators and leaders. Internal Firm Services staff are the people who make it work for the people who make it work for our clients.
Network Information Security organization is tasked with designing, implementing and maintaining information security capabilities and services for the PwC Network of member firms. The organization consists of highly skilled information security professionals across the globe that are focused on developing a leading security program across the Network of Firms, to foster clients' trust in our ability to secure their most sensitive data, to better position PwC to address clients' evolving needs and to harmonize the internal firm security strategy with client services go-to-market strategy. The group is leading PwC's Network Security Transformation Programme, which is a multi-year programme to enhance existing capabilities and build new capabilities to combat the ever more complex cyber threats.
Information Security Risk and compliance provides a range of services to the PwC Network of Firms that identify, quantify, and reduce risks to the security of information.
These services include IT risk assessment processes, meeting client security interactions, management of IT security controls, information risk assessments, data privacy reviews, managing compliance assessments, supply chain risk management, security policy development and IT risk due diligence. The team will interact with data privacy and legal organizations.
The team is responsible for enabling secure supplier relationships by performing initial integration and ongoing monitoring of third parties that store, process, and/or transmit firm data.
Minimum Year(s) of Experience: 6
Minimum Degree Required: High School Diploma or GED
Degree Preferred: Bachelor's degree
Certification(s) Preferred: CISSP, CISA, CRISC, and/or CISM
Demonstrates extensive knowledge of, and/or proven record of success in, IT security management frameworks, especially ISO 27001 and 27002 (17799), and their application in the support and integration of key business and strategic priorities, preferably for a global network or professional services firms, including in the following areas:
- Experience performing third party risk management activities such as supplier security assessments/reviews, contractual terms analysis and negotiation, and ongoing monitoring of supplier adherence to security commitments;
- Knowledge of cloud computing environments and experience evaluating organizational risks associated with cloud-based solutions, including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS);
- Knowledge of engagement and third party vendor legal documentation and processes including MSA's, SOW's and RFP responses;
- Knowledge of IT security assessment processes, including audit, vulnerability scanning, and security policy and standards review. Experience creating and managing IT security policies and standards;
- Understanding of IT security fundamentals across multiple domains, including (but not limited to) security management, security architecture, access control, application development, operations security, physical security, cryptography, telecommunications and networking, business continuity planning, laws, investigations, and ethics;
- Experience managing risks in an organization that uses a global sourcing strategy. Knowledge and understanding of the risks that exist in a business and security environment comprised of multiple global geographies and suppliers;
- Experience managing information security focused projects;
- Experience in working with and leading efforts with contributors from multiple business, service delivery and supplier teams; and;
- Experience with commercial governance, risk and compliance (GRC) applications is desirable.
Demonstrates extensive abilities and/or proven record of success in the following areas:
- Ability to develop and manage structured third party risk identification, assessment, and treatment programs for large
- Ability to assess adherence to security controls using standard audit and assessment methodology (e.g. inquiry, inspection, observation);
- Strong customer facing verbal and written communication skills. Comfortable independently engaging with client representatives up to the executive level and all levels of PwC management. This will include meeting directly with PwC clients as a representative of the IT organization. Able to produce written documentation at a level appropriate for submission to PwC clients and use in legal documentation
- MSA's, SOW's and RFP responses;
- Adept at translating technical IT security concepts into business terms;
- Communicate and work comfortably with all levels of leadership;
- Ability to address risk utilizing standardized and consistent methodology;
- Ability to identify and leverage relationships between data held in different applications to develop tools and reports that support the management of information security;
- Ability to contribute to cross-functional efforts, working with business, IT and global teams, as a representative of the risk management organization; and;
- Understanding of existing and upcoming legislative and regulatory requirements applicable to data protection and security.