MetLife

Position Summary

To perform end to end IT third party cyber risk assessments, which includes Vendor Due Diligence, Risk Identification and Analysis, Archer Management, Reviewing the vendor's questionnaire, Control Mapping, Third party audit report review, Findings and Exceptions Management, Risk Mitigation and Periodic Reviews and various Contracts negotiations; on MetLife’s vendor and other third party organizations to ensure adherence to security and compliance requirements.

Job Responsibilities

1. Conduct end to end IT third party vendor risk assessments over third party vendors, including but not limited to: determining the scope of the service provided by interacting with MetLife Senior Management and business point of contacts; administering risk assessments directly to vendors using our online GRC tool; examining responses to determine the extent of risk the relationship represents to MetLife; performing gap assessments on the vendor’s control environment; reviewing vendor’s third party audit reports; offering recommendations to Vendor and MetLife’s management on the risk incurred, and on how to respond to any risks; and generating risk findings.
2. Assess and respond to risk findings, including pursuing action plans to completion and negotiating due dates with vendors;
3. Provide guidance to the business, Strategic Sourcing and other stakeholders to ensure requirements of VRM are fully understood 
4. Perform security assessments of systems, applications, data centers, infrastructures and service providers using an established framework and tools to evaluate vulnerabilities. Research new and developing technologies and standards to help contribute to the continuous improvement of the risk assessment process
5. Act as a subject matter expert in understanding why certain risks are a threat to the company and how compensating or mitigating processes affect that risk
6. Prepare weekly and monthly reports and dashboards, which shall be submitted to higher management and stakeholder;
7. Provide guidance on IT Security Requirements during Contract negotiation discussions.
8. Continually reassess the operational risks associated with the function and inherent in the business
9. Support Vendor selection and contracting on major sourcing efforts and reassess the risks associated with a vendor relationship prior to the renewal of contract agreements
10. Identify and communicate departmental vendor risk issues and compliance problems that have not been adequately addressed; offer reasonable solutions, and assist them with efforts to come into compliance 

Knowledge, Skills and Abilities

Education

• Master’s/Bachelor’s degree in Engineering/IT/Information Security or Computer Science from a recognized Indian University 

Experience

• 4-6 years of experience into IT-Third Party Cyber Risk Management,  IT risk & security and  IT audit.

Knowledge and skills (general and technical)

• Knowledge of information security standards (SSAE16, PCI ROC/AOC, ISO 27001:2022), laws (e.g., NIST, FFIEC, etc.), and regulatory requirements (e.g., GDPR, DPL, HIPAA) and commonly used concepts, practices and procedures within the information security, application security, data center security, and privacy.
• Proven solid analytical and problem solving skills. Advanced computer skills including Microsoft Office suite and other business related software systems.
• Skills in influencing business units to assess and monitor vendor risk and follow vendor risk management policy.
• Ability to manage various complex projects and processes to completion. Sound concepts of Vendor Assessments and to manage existing work and also for providing value addition to existing work.
• Excellent writing and communication skills; able to translate technical concepts into layperson’s terms and interface with upper-level management including Legal Counsel and Corporate Compliance.
• Excellent ability to work effectively with peers, business units,  IT management and staff, and internal/external business partners/clients/vendors.
• Able to deal with ambiguity - integrate, prioritize and rollout programs without clearly defined guideline.
• Strong organizational ethics to manage a large volume of competing tasks effectively.
• Direct experience in developing, implementing, and improving technology controls in a corporate environment.
• Experience of working in a fast-paced organization that is focused on accountability (must deliver results).
• Experience working with all levels of an organization and be comfortable in presenting, interacting with, and taking direction from Senior Management
• Have a team leading and mentoring skill to lead a team of information security professionals and mitigate their IT risk issues.