BNY Mellon Vendor Information Risk Lead Specialist in Wroclaw, Poland
For over 230 years, the people of BNY Mellon have been at the forefront of finance, expanding the financial markets while supporting investors throughout the investment lifecycle. BNY Mellon can act as a single point of contact for clients looking to create, trade, hold, manage, service, distribute or restructure investments & safeguards nearly one-fifth of the world's financial assets. BNY Mellon remains one of the safest, most trusted and admired companies. Every day our employees make their mark by helping clients better manage and service their financial assets around the world. Whether providing financial services for institutions, corporations or individual investors, clients count on the people of BNY Mellon across time zones and in 35 countries and more than 100 markets. It's the collective ambition, innovative thinking and exceptionally focused client service paired with a commitment to doing what is right that continues to set us apart. Make your mark: bnymellon.com/careers.
Risk and Compliance provide risk and compliance services across all BNY Mellon businesses. Organizationally, Risk and Compliance includes the following groups: Risk Management, Compliance, Global Corporate Security, Information Risk Management and Global Business Continuity. Risk Management oversees and delivers risk services and ensures new business risks are reviewed and approved. Risk Management is organized through Chief Risk Offices for each core business and critical operation. Risk managers provide shared support to BNY Mellon for operational risk services for Global Corporate Trust, Depositary Receipts, Treasury Services and Global Operations in EMEA. Compliance helps ensure BNY Mellon's businesses maintain appropriate processes to comply with applicable laws, regulations, BNY Mellon policies and ethics. This is accomplished through business- and business partner-specific teams of professionals, under centralized global management.
The role is part of the Information Risk Management (IRM) organisation at Bank of New York Mellon. IRM is comprised of 6 main teams:
• Risk and Control Governance
• Technology Risk Management (Application Assessments, Infrastructure Assessments, Service Provider Management & Risk Strategy)
• Information Security
• Identity and Access Management
• Vendor Information Risk Management
• Chief Administrators Office
The role will form part of the Vendor Information Risk Management team responsible for executing and overseeing the risk management framework in relation to vendor risk management and third party governance. The team has a global footprint. Job Purpose: Execute risk-based assessments of the company’s vendors, leveraging control information in various formats and from different sources, communicating with both stakeholders and vendors, and reporting results. Responsibilities: • Perform and complete new and existing assessments on vendors and 3rd parties. Leveraging BNY Mellon methodology that includes questionnaires, evidence requirements, and interviews with vendors and internal stakeholders to appropriately assess controls relating to Information and security risk management, privacy and security policies and governance, organizational security, asset management, physical and environmental security, communications and security operations management, access controls of systems and applications, cryptography and encryption controls, information systems acquisition development and maintenance, third party relationship management, vulnerability and threat management, incident event and communications management, business continuity and disaster recovery, compliance with regulatory and industry standards, cloud controls relating to infrastructure, platform, and software as a services • Perform evidence based assessments have strong working knowledge on reviewing and identifying gaps relating to SOC 2 reports, Dataflow and network diagrams, Information security, privacy, and risk management policies, Datacenter security and environmental controls, Identity and access controls, Vulnerability management process and latest vulnerability reports, current application and network penetration testing summary reports, business continuity and disaster recovery plans, tests, and results, system development lifecycle and change control processes, incident management and response plans, malware prevention and detection controls in place, patch and configuration management for the applications, supporting databases, infrastructure, and operating systems, network and server hardening standards in place and compliance reports of standards, distributed denial of service controls, information security and risk management organization charts, third party risk management program in place to assess vendors, service providers, and suppliers • Representative for vendor assessments, gaps, risks, controls, and status of posture for current and new vendors. • Develop and maintain strong relationship with key departments, particularly (Corporate Senior Information Risk Officers (CSIRO), Relationship Managers, Legal and Procurement, who are actively involved in Vendor on-boarding and overall management. • Continuously monitor and ensure a high level of quality and accuracy are maintained on reviews, work papers, risk statements, and management reports.
• Create and provide reports of vendors on a monthly, quarterly, and annual basis relating to vendor control posture, statistics on types of vendors, and vendor risks.
• Stay abreast of changes relating to global regulatory requirements regarding 3rd party Vendor Risk Management
• Vendor risk assessments
• Risk reporting and metrics on assessments of new and existing vendors
• Vendor risk assessment alignment and partnership with key stakeholders
• Minimum of 5 years conducting 3rd Party vendor risk assessments within the financial markets, with at least 7+ years of working experience in risk management.
• Subject matter expert on ISO27001:2013, ISO 22301, NIST 800-53 Rev 4, NIST 800-161, NIST Cybersecurity Framework controls.
• Working knowledge of Archer GRC is highly advantageous
• Strong experience with security availability, privacy, processing integrity, confidentiality, and vulnerability management, and general IT controls, specifically in banking and financial industries.
• Pragmatic approach and excellent verbal and written communication skills. Ability to challenge and explain complex issues and risk effectively.
• Experience balancing risks with controls.
• Organized, methodical and analytical.
• Undergraduate degree preferred
• CISA, CISM, CRISC or CISSP required
BNY Mellon is an Equal Employment Opportunity Employer.*
Primary Location:* Poland-Dolnoslaskie-Wroclaw
Internal Jobcode:* 32946
Organization:* Information Risk Management-HR06032
Requisition Number:* 1610404