Manager, Third Party Security Risk Oversight

Job Description

The Group Chief Information Risk Security Officer organisation is instrumental in protecting and ensuring the resilience of Standard Chartered Bank s data and IT systems by managing information and cyber security risk across the enterprise. As a critical function reporting into the Group Chief Risk Officer , the Office of the CISRO serves as the second line of defence for assuring ICS controls are implemented effectively and in accordance with the ICS Risk. The Group CISRO s responsibilities include ICS governance, policy, red teaming and industry partnerships. In addition, the team of Information Security Risk Officersreports to the CISRO and performs a pivotal role as an extension of the CISRO in supporting the ICS risk management to face off to the Client Services, Regions, and Functions. The Office of the CISRO is central to ensuring the Bank s ability to meet its ICS commitments to internal and external stakeholders, including regulators, as well as maintaining an acceptable ICS risk profile that is regularly reported to the Board.Evolution in Third Party Security Risk ManagementThe Manager, Third Party Security Risk Oversight is a permanent role that requires deep knowledge in the ICS, technical and supply chain management fields to deliver innovative assurance programmes that protect our people, assets and reputation and support colleagues to continuously improve the firm s Third Party Security Risk posture. The successful candidate will have extensive experience in the quality execution and assurance of Information and Cyber Security Third Party risk management. They will work collaboratively across the Bank, and particularly with the First Line of Defence, Group CISO, Supply Chain Management, Technology and Innovation, and increasingly Fourth to nth Parties Security RiskThe role reports directly to the Head, Third Party Security Risk Oversight. The principal requirement of the role is to deliver risk assurance reviews on the Third Party Security Risk programme.The role will work very closely and collaboratively but also constructively challenge where necessary, the First Line of Defence Group CISO and Supply Chain Management to reduce overall ICS risk. It is essential that the role holder:

• has a technical background;
• has extensive experience of working in third party security risk, preferably within Financial Services;
• has extensive information and cyber security experience.

It is desirable that the role holder:

• enjoys providing solutions to problems;
• has worked in an assurance or audit function;
• is comfortable operating in the second line of defence, proactively engaging with colleagues across the Bank and providing strong, but constructive challenge to operational colleagues;
• has experience managing multiple deadlines and projects simultaneously;
• is results-orientated, able to meet tight deadlines and work under pressure.

BusinessThe primary purpose of this position is to execute and deliver of risk assurance reviews on the Third Party Security Risk programme. The successful candidate will work closely with colleagues particularly in Supply Chain Management, Group CISRO, Group CISO, Heads of Information and Cyber Security, Information Security Risk Officers and Technology and Innovation as well as other key stakeholders, including Legal and the Chief Data Protection Office, to develop, implement, monitor and refine the Bank s positions on Third Party Security Risk. Processes& Risk ManagementThe major functional activities that the Manager will lead and manage are:

• Execute and deliver Third Party Risk Assurance reviews based on approved annual plan
• Ensure that Risk Assurance approach, plans and execution are compliant with standard operating policies and procedures, risk assurance standards and regulatory requirements
• Provide opinion and, where necessary, challenge on Conditional Acceptances and Dispensations
• Work closely with relevant CISO and CISRO colleagues to update Third Party Security ICS Standards Schedule and review requests for ICS Schedule changes
• Work closely with relevant CISO and CISRO colleagues to review any requests for dispensation to the Security Standards Schedule included in external contracts
• Effectively communicate Risk Assurance results to internal assessors as per plan
• Monitor, track and report on Risk Assurance results to stakeholders, including Group Operational Risk (ORF), Third Party Security Risk Management and other relevant Risk & Governance teams
• Manage stakeholders, including challenging 1st line based on Risk Assurance results as well as communicating, explaining and agreeing 2nd line position
• Ensure effective record keeping and audit trails of all Assurance activities and results
• Provide 2nd line support on Third Party Security Risk audit and regulatory requests/queries
• Lead internal training sessions, as required, for internal and external assessors on 2L QA process, documentation standards and QA evidence retention requirements.

People&Talent

• Constructively challenge the First Line of Defence on Third Party Security Risk
• Lead through example and build the appropriate Bank and CISRO culture and values in a new team
• Set appropriate tone and expectations from team, providing mentoring & support as required, and work in collaboration with internal and external partners to drive rapid, tangible outcomes
• Uphold and reinforce the independence of the second line ICS Risk function

Governance

• Contribute to and support colleagues in the formulation and assist in drafting as necessary Third Party Security Risk related security policies, standards, guidelines and procedures and answer ad-hoc security governance queries;
• Regularly report evolving ICS-related Third Party Security Risk requirements and changes in the ICS landscape to relevant colleagues and business, regional, and/or functional units within the Bank to ensure integration into business processes and requirements

Regulatory & Business Conduct

• Display exemplary conduct and live by the Group s Values and Code of Conduct
• Take personal responsibility for embedding the highest standards of ethics, including regulatory and business conduct, across the Bank. This includes understanding and ensuring compliance with, in letter and spirit, all applicable laws, regulations, guidelines and the Grou Code of Conduct
• Lead the immediate team to achieve the outcomes set out in the Bank s Conduct Principles: [Fair Outcomes for Clients; Effective Financial Markets; Financial Crime Compliance; The Right Environment]
• Effectively and collaboratively identify, escalate, mitigate and resolve risk, conduct and compliance matters
• Interpret global technical regulation and requirements

Key Stakeholders

• Group CISO, Third Party Security Risk team
• SCM
• Head of ISROs and ISROs Functions
• Heads of Information and Cyber Security
• Audit

Responsibilities

• Ensure that evolving regulations, policies and standards are monitored and incorporated into Bank policies and relevant risk frameworks.
• Build trusted working relationships with other security functional heads, risk and compliance counterparts, and region and country stakeholders.
• Perform other duties as assigned, including giving presentations, and developing briefings and other materials for senior executives.
• Maintain sufficient and appropriate evidence of work performed for review by Group Internal Audit and others.

Ideal Candidate

• Proven experience in ICS Supply Chain Management;
• Bachelor s Degree in IT, Cybersecurity, Business Management, or other related discipline.
• Graduate degree (Master s) and/or professional certifications have an advantage (e.g., CISA, CISSP, CISM, ITIL, PMP).
• Minimum 7 years experience in IT auditing and/or risk management, preferably with Big 4 and/or Banking & Financial services experience
• Experience in third party audits is a plus, but understanding of auditing standards, compliance, risk assessment and internal control frameworks is a requirement
• Strong knowledge of security frameworks (COBIT, ISF, COSO), standards (ISO, NIST, CIS), information security principles, security architecture and regulatory requirements
• Strong ability to liaise constructively with internal and external stakeholders, including security, technical, risk and business stakeholders.

,

Keyskills :
supply chain management3rd party relationshipssecurity riskinternal auditcyber securityrecord keepingrisk assurancerisk managementoperational riskinternal controlauditing standardsinformation security