Information Security Manager-Third-Party Risk

American Express New York , NY 10007

Posted 2 months ago

You Lead the Way. We've Got Your Back.

At American Express, we know that with the right backing, people and businesses have the power to progress in incredible ways. Whether we're supporting our customers' financial confidence to move ahead, taking commerce to new heights, or encouraging people to explore the world, our colleagues are constantly redefining what's possible - and we're proud to back each other every step of the way. When you join #TeamAmex, you become part of a diverse community of over 60,000 colleagues, all with a common goal to deliver an exceptional customer experience every day.

This position, reporting to the Director of Third-Party Assessments, will be part of a team responsible for performing technical assessments/inspections of the company's most critically sensitive third parties. The Manager will be responsible for physical and logical inspection of Information Security and Technology controls, publish assessment results. They will need to issue gaps provide consultation and validate remediation of gaps. The candidate will play a key role in facilitating joint Disaster Recovery planning and testing of critical third parties and American Express. Additionally, there are expectations of working with multiple teams; external assessors, continuous monitoring, risk management and product/tool management to ensure readiness and effective of process and monitoring tools.

Responsibilities also include:

  • Performance of technical physical and logical assessments for in-scope third parties.

  • Assist with evaluation of tools / technologies to support monitoring capabilities.

  • Perform on-going tracking and monitoring of progress and assist in management reporting on a periodic basis.

  • Facilitate and coordinate joint Disaster Recovery testing of critical third parties and American Express

Minimum Qualifications:

  • 10+ years of experience in Information Security, and/or Third Party required, additional expertise in Disaster Recovery highly preferred.

  • Demonstrated expertise in Information Security and Third-Party Risk

  • Familiarity with secure software development practices

  • Expertise in web and mobile application vulnerabilities, detection and mitigation strategies

  • Expertise in DAST and SAST scanning technologies, ethical hacking experience desired but not required.

  • A broad understanding of the terminology, core principles, IT controls and best practices across key risk domains, including risk assessment methodology, identity and access management, network and infrastructure security, application security, data loss prevention, and incident management
  • Current certifications in CISSP, CISM, CISA, CRISC, CGEIT, COBIT, or PCI highly preferred

  • Self-motivated team player with the ability to handle multiple work streams and support various team member collaborative projects to completion.

  • Proven excellent relationship management skills with all levels of the enterprise are required

  • Ability to effectively collaborate across teams

  • Ability to quickly come up to speed in any area, sufficient to speak with an informed opinion and create a credible impression with stakeholders

  • Ability to identify gaps between one's skillset and the needs of the team.

  • Effectively seeking and utilizing feedback from leaders and mentors to address skill gaps

  • Ability to clearly present options and make compelling recommendations, using persuasion to gain agreement or pitch an idea

  • Involving the right people to ensure the best decisions are made in a timely manner
  • Ability to analyze complex information and identify the most relevant details.

  • Being flexible and able to adjust to new needs and new technologies, and to be comfortable with ambiguity

  • Strong sense of personal accountability and ability to drive results
  • Ability to travel to perform physical assessments at Third Parties

  • Bachelor's Degree in Computer Science or Engineering preferred

United States Only:

American Express is an equal opportunity employer and makes employment decisions without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, veteran status, disability status, age, or any other status protected by law.

US Job Seekers/Employees

  • Click here to view the "EEO is the Law" poster and supplement and the Pay Transparency Policy Statement.

If the links do not work, please copy and paste the following URLs in a new browser window: to access the three posters.

icon no score

See how you match
to the job

Find your dream job anywhere
with the LiveCareer app.
Mobile App Icon
Download the
LiveCareer app and find
your dream job anywhere
App Store Icon Google Play Icon

Boost your job search productivity with our
free Chrome Extension!

lc_apply_tool GET EXTENSION

Similar Jobs

Want to see jobs matched to your resume? Upload One Now! Remove
Risk & Financial Advisory Manager Third Party Risk Management


Posted 2 days ago

VIEW JOBS 1/22/2022 12:00:00 AM 2022-04-22T00:00 Position Summary Risk & Financial Advisory - Manager - Third Party Risk Management Unanticipated risks have great consequences for clients. That's especially true today as new risks and complexities brought on by regulatory mandates, rapidly evolving technologies, and the digitalization of business operations are disrupting traditional business models. Deloitte Risk and Financial Advisory's Hybrid-Operate teams deliver next-generation managed services and advanced technology products to help organizations solve complex problems on a long-term basis. Teams do this by bringing together advanced analytics, robust domain knowledge and experience, and strong technology products to help clients monitor, manage, and measure their operational environment for risk. Given the ever-increasing size and complexity of third party ecosystems, our clients are increasing leveraging our firm's expertise to implement and operate a wide variety of Third Party Risk Management (TPRM) solutions designed to mitigate risks and drive more value in third party relationships. If you are seeking a role that offers exposure to these clients, Deloitte Risk and Financial Advisory's Cyber practice may be the place for you. The work you perform will help you develop an understanding of: * the different third-party relationships an organization may have across different industries * the drivers which affect behaviors of business partners, suppliers and customers; and * the operational processes and controls required by an organization to effectively manage and monitor its third-party relationships. As a Manager, it will provide you excellent potential for: * Playing a lead role in designated tasks of the project team in gathering, organizing and analyzing data * Making major contributions in assuring products/deliverables meet contract/work plan * Strong potential for growth and acceptance of additional responsibilities Work you will do: * Lead multiple engagements in the delivery of third party risk assessment services, which include, but are not limited to, assessment execution, stakeholder management, risk reporting and process optimization, leveraging available tools * Advise and assist clients in developing their third party risk management programs, such as risk tiering methodology, risk assessment process flows, risk assessment questionnaires, and reports * Support the design and implementation of third-party risk operating models, identifying, evaluating, and providing solutions to evaluate complex business and technology risks * Design policies and procedures that support the successful implementation of TPRM operating models * Facilitate process walkthrough discussions to document end-to-end business processes and functional requirements * Consider the application of legal and regulatory requirements to company's risk management practices * Design technology enhancement requirements to support third-party risk management processes * Track and communicate engagement performance and planning to Deloitte engagement management, ensuring project milestones remain on track and are completed timely * Actively mentor and train team members on Third Party Risk Management processes, governance, and frameworks * Work cross-functionally with team members to support and drive a collaborative team environment * Create and design effective presentations as a means for communicating project and deliverable progress to clients * Perform sophisticated data analyses to understand client's business and identify risk * Execute advanced services and supervise staff in delivering basic services * Assist in the selection and tailoring of approaches, methods and tools to support service offering or industry projects * Understand client's business environment and basic risk management approaches * Demonstrate a general knowledge of market trends, competitor activities, Deloitte & Touche's products and service lines * Actively participate in decision making with engagement management and seek to understand the broader impact of current decisions * Generate innovative ideas and challenge the status quo * Build and nurture positive working relationships with clients with the intention to exceed client expectations * Facilitate use of technology-based tools or methodologies to review, design and/or implement products and services * Identify opportunities to improve engagement profitability The successful Manager will demonstrate the following attributes: * Ability to adopt a pragmatic approach to dealing with situations where confidentiality is important or where our work is of a sensitive nature * Independent thinker and resourceful problem solver with an ability to exercise mature judgment * Takes ownership and drives toward a successful outcome * Can see the big picture and naturally looks for what other client problems the team can solve * Ability to work independently and in teams to manage multiple task assignments * Strong oral and written communication skills; including presentation, interpersonal communication, and facilitation skills * Brings a genuine approach to day-to-day dealings that includes the highest ethical standard * Ability to manage multiple partners including external team * Ability to manage multiple stakeholders and maintain professional relationships * Acting as a leader in a team environment Required Qualifications: * Bachelor's degree in information technology, math, business, cyber security, computer science, data analytics or related field * 5+ yrs of relevant experience in information security * Working knowledge and understanding of information security and risk frameworks/standards (ISO 27001/2, NIST 800 series, PCI-DSS, etc.) * Demonstrate knowledge of key risk areas such as cyber risk, compliance risk and regulatory risk * Demonstrate knowledge in one or more of the following cyber risk domains, including: * Security Governance and Management * Security Policies and Procedures * Application Security Controls * Access Controls * Network Security Operations * Security Architectures * Identity Management * Disaster Recovery & Business Continuity * Incident Response * Risk Management * Privacy and Data Protection * Encryption * Experience with internal controls, risk assessments, business process and internal IT control testing or operational auditing * Ability to travel up to 50% (While up to 50% travel is a requirement of the role, due to COVID-19, non-essential travel has been suspended until further notice) * Must be legally authorized to work in the United States without the need for employer sponsorship, now or at any time in the future Preferred Qualifications: * Degree in Math, Business, Cyber Security, Computer Science, Data Analytics or related field * CISSP/CISA (or equivalent) * Experience with information security audit or assessments * 3+ years of project management experience on mid to complex projects required * Good understanding of legal and regulatory requirements around information security and data privacy, such as OCC Bulletin 29, FFIEC, HIPAA Security/Privacy, etc. * Prior consulting experience * Experience with internal controls, risk assessments, business process, and internal IT control testing or operational auditing The team: The Deloitte Advisory Third-Party Risk Management (TPRM) team, part of our Cyber Risk Services, works with some of the largest organizations in the world, across a variety of industries, to assist organizations in the development and operation of TPRM programs. Our client list includes eminent organizations across industries, e.g. technology, mining, media, pharmaceuticals, oil and gas, public sector and charities. Our TPRM portfolios of services includes a broad variety of solutions for our clients, including designing and implementing broad third-party governance and risk management frameworks/processes, developing third-party risk and control assessments, and implementing managed services to improve/enhance an organization's TPRM program. Deloitte Office Anywhere in the US Recruiting tips From developing a stand out resume to putting your best foot forward in the interview, we want you to feel prepared and confident as you explore opportunities at Deloitte. Check out recruiting tips from Deloitte recruiters. Benefits At Deloitte, we know that great people make a great organization. We value our people and offer employees a broad range of benefits. Learn more about what working at Deloitte can mean for you. Our people and culture Our diverse, equitable, and inclusive culture empowers our people to be who they are, contribute their unique perspectives, and make a difference individually and collectively. It enables us to leverage different ideas and perspectives, and bring more creativity and innovation to help solve our client most complex challenges. This makes Deloitte one of the most rewarding places to work. Learn more about our inclusive culture. Professional development From entry-level employees to senior leaders, we believe there's always room to learn. We offer opportunities to build new skills, take on leadership opportunities and connect and grow through mentorship. From on-the-job learning experiences to formal development programs, our professionals have a variety of opportunities to continue to grow throughout their career. As used in this posting, "Deloitte Advisory" means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. These entities are separate subsidiaries of Deloitte LLP. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability or protected veteran status, or any other legally protected basis, in accordance with applicable law. We will consider for employment all qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local laws, including the City of Los Angeles' Fair Chance Initiative for Hiring Ordinance, where applicable. See notices of various ban-the-box laws where available. Requisition code: 66592 Deloitte New York NY

Information Security Manager-Third-Party Risk

American Express