IT Third Party and Client Security ...

About the Role

At AECOM, the utilization of third parties is fundamental to our service delivery. This practice requires diligent oversight and continuous assessment of their security posture and performance. AECOM collaborates with a diverse range of third parties, such as vendors, partners, and suppliers, each presenting unique security, compliance, and operational risks. To address these challenges, AECOM is recruiting Third Party and Client Security Analysts to support the centralized Third Party and Client Risk Management Function. In this critical role, you will be instrumental in upholding our framework, operating model, and supervising processes to ensure two key objectives: (1) third parties adhere to AECOM's stringent security standards, and (2) AECOM provides its clients with the highest level of assurance regarding the compliance of its security program with regulatory requirements, industry standards, and client expectations.

Responsibilities and Duties

• Evaluate incoming requests for third-party engagements to assess potential risks.
• Conduct comprehensive initial and periodic risk assessments for third-party relationships.
• Collaborate effectively with business requesters, procurement, legal, and other internal teams to ensure timely completion of security questionnaires.
• Partner with security and IT team members to gain a thorough understanding of security controls, technologies, and architectural landscapes.
• Meticulously review third-party responses to security questionnaires, SOC 1, and SOC 2 assessment reports to identify potential risks to AECOM.
• Identify security gaps and issues by comparing third-party and/or client security standards against their current security postures.
• Devise and implement remediation plans, closely monitoring third parties and AECOM's security/IT teams for adherence.
• Manage, enhance, and implement the framework, policies, procedures, and program governance to ensure alignment of Third-Party Risk Management (TPRM) with industry best practices and regulatory requirements (e.g., NIST, ISO 27001, FedRamp).
• Develop tactical and strategic plans to advance the third-party risk management program, ensuring compliance with evolving regulations and industry best practices.
• Triage and complete requests from AECOM clients regarding the robustness of AECOM's control environment.
• Manage AECOM's response to security due diligence processes for existing and potential business partners, clients, and third parties, including questionnaires and site visits.
• Provide assistance with Request for Information (RFI) and Request for Proposal (RFP) processes, and respond to client inquiries, ensuring comprehensive risk management is integrated throughout.
• Review third-party and client contracts to validate the inclusion and adherence of appropriate security requirements and commitments.

Qualifications

• Bachelor's degree in Information Technology, Information Security, Risk Management, or a related field.
• 2-3 years of professional experience in information security, IT, audit, third-party risk management, or a related area.
• Strong understanding of risk management principles and established security frameworks, such as NIST, ISO 27001, SOC 2, and PCI-DSS.
• Extensive experience in evaluating vendor security and compliance in relation to regulatory and industry standards.
• Familiarity with industry Governance, Risk, and Compliance (GRC) tools like UpGuard, AuditBoard, ServiceNow, etc., is considered a plus.
• Excellent prioritization and organizational skills.
• Proven ability to develop, document, and maintain procedures.
• Strong verbal communication skills, with the ability to advise management on third-party and client risk management matters.
• Demonstrated ability to work independently while also collaborating effectively with cross-functional teams.

Additional Information

• Ability to effectively communicate and collaborate within a specific group of internal and external customers.
• Capacity to maintain strong customer relationships and proactively support customer needs and requirements.
• Meticulous attention to detail in completing assigned tasks and identifying errors, duplicates, and discrepancies through defined methods.
• Aptitude for identifying, assessing, and resolving simple to moderate issues by following defined policies and procedures.