About the Role
Enterprise Vendor Risk Management Analyst’s primary objective is to identify and examine areas of potential risk that threaten the infrastructure or ability of Franklin County Agencies to provide services to the county due to a third-party engagement. This role is responsible for the development of and presentation of various ways or means by which risks or damages can be lessened and will also provide recommendations based on his/her analysis. Performance of vendor documentation review and analysis, identifying and measuring risk associated with vendor security controls, and documenting and reporting risks to the FCDC leadership team, business partners, and vendors are also part of this role. Employees new to FCDC or promoted into new positions must successfully complete a 180-day probationary period, and all employees must adhere to current Employee Handbook policies.
Essential Duties and Responsibilities
To perform this job successfully, candidates must be able to perform each essential duty and fulfill each responsibility satisfactorily. Reasonable accommodations may be made to enable individuals with disabilities to perform essential functions. The essential duties and responsibilities include:
Assist in defining business processes and controls for the assessment of third-party providers to ensure compliance with security and regulatory requirements
Provide subject matter expertise supporting vendor risk management processes and solutions
Review vendor responses & documentation, drafting of controls in place and controls not in place, and engage with the vendor, business contact, and leadership as appropriate to complete the assessment
Reviews, documents, tracks, and collaborates on remediation of any third-party deficiencies
Writing recommendations for updates to vendor security assessment procedures, forms, RFI, RFP, questionnaires, security contract language templates and vendor security assessments reporting and metrics
Execute recurring assessments
Primary point of contact for the vendor for security questionnaires, responses, and documentation
Collaboration with auditors to provide evidence of compliance
Acts as vendor risk management advisor on projects
Continually improve the accuracy, depth and efficiency of the vendor risk management program through tools and processes
Provides recommendations for vendor security scoring
Assists in the development of metrics for measuring the success of the vendor risk management program
Collaborates with finance and procurement teams on continuous improvement efforts
Partners with Data Loss Prevention Engineer to aid in furthering of data management capabilities
Assist in the definition of business processes & controls around sensitive data and applications to ensure compliance with financial, privacy and other security & regulatory requirements
Ensures data loss prevention solutions and recommendations are incorporated into the vendor risk assessment process?
Evaluate and make recommendations for exceptions to security policy/standards related to vendor risk management
Assists as needed in Incident Response (IR) in the event of a breach, intrusion, or theft by providing security capability expertise
Monitor and coordinate compliance activity with information security policies
Will be required to respond to assist with security events during non-traditional hours as needed.
Essential Duties and Responsibilities: Technical Skills:
Ability to convey security capabilities in business terms
Working knowledge of FTI, CJIS, HIPAA, and Privacy regulations
Successfully analyze data to attain business context
Ability to assess the potential risk of an escalated issue and use business skills to evaluate impact and alternatives
Basic understanding of information security controls, how they are used to detect and respond to, how they impact the business, and how gaps can be mitigated/remediated
Understanding of enterprise technology infrastructure solutions
Ability to create, modify, and maintain the vendor questionnaires within the Vendor Risk Management solution
Understanding of security incident response handling procedures, incident management, and incident remediation
Decision Making/Problem Solving:
Makes sound, well-informed, and objective decisions in a timely manner.
Compares data, information, and input from a variety of sources to draw conclusions; takes action that is consistent with available facts, constraints, and probable consequences.
Applies both rational and creative processes to identify unknown root causes of problems.
Based on the situation, decides best course of action, implements the solution, and follows-up to see how it’s working.
Calculates and evaluates the long-term consequences of a decision.
Clearly conveys and receives information and ideas through various media to individuals or groups in a manner that engages the listener, helps them understand and retain the message and invites response and feedback.
Keeps others informed as appropriate.
Demonstrates effective written and verbal skills.
Uses keen active listening skills to gather and validate information, to build trust, and enhance collaboration.
Values an inclusive organization where the differences of all people are respected, valued, and utilized towards achieving common goals.
Respects and relates well to people from varied backgrounds, understands diverse worldviews, and is sensitive to group differences; sees diversity as an opportunity, respectfully challenges bias and intolerance.
Supports equal and fair treatment.
Qualifications: Education/Work Experience:
Preferred: Associate or bachelor’s degree or equivalent industry experience
Required: High school diploma or equivalent
Preferred: 3 years of information security experience
Required: 2 years of information security experience
Preferred: One or more relevant and recent IT security certification from major manufacturers and/or testing services; Security+, Any ISC2 / ISACA certification
Supplemental Information: OUR HIRING PROCESS
- We review resumes and conduct initial calls with candidates who may be a fit.
- We invite selected candidates to a first interview centered on technical skills and experiences; we typically include HR, the CISO, and a peer or two.
- We invite finalists to a second interview centered on your leadership style and our team culture; we include the same group from the first interview but often add our CIO.
About the Company
FCDC provides cost-effective, business-driven, collaborative, and secure IT services and solutions to public service agencies throughout Ohio’s most dynamic county. Our goals are simple, but expansive: to be the most trusted enterprise technology service provider for Franklin County and a national leader in digital government services. Every day the FCDC team empowers county departments, agencies, and teams to deliver top-notch services to residents and businesses in central Ohio, and we take pride in the work they accomplish with our support.