Company
Federal Reserve Bank of Boston
Third Party Risk Analyst
This job is eligible for a hybrid schedule with some onsite work expected. The individual is expected to reside in the 1st District/NE Region (or the 5th District/VA Area) unless you were given an exception.
The Third-Party Risk Management Analyst position will be a member of the Third-Party Risk Management organization within National IT. This Analyst will be a part of a team responsible for assessing the information security practices and posture of new and existing third parties for the Federal Reserve System. This role will have additional TPRM responsibilities supporting the identification, assessment, and mitigation of risks related to National IT's managed third-party relationships.
This position will leverage various sources of data to assess the security program and associated risk management practices of the Federal Reserve's suppliers, highlight risks, and control gaps associated with the supplier's security program, categorize the potential risks based on severity, and identify potential mitigation strategies. The position is also responsible for translating the results of the analysis into a business consumable format and delivering those results to business, legal, and procurement teams to advise risk decisions.
Additionally, the analyst will be responsible for identifying, performing, and tracking continuous monitoring activities to ensure that risks associated with active suppliers are appropriately managed and mitigated.
This position will participate in cross-functional teams to address information security policy, vendor risk management, or compliance issues. This position will determine best practices, suggest how to improve current practices, and monitor those practices.
Key Responsibilities (including, but not limited to the following):

• Conduct comprehensive third-party cyber security assessments utilizing a NIST-based framework; evaluate the security posture of third parties to identify vulnerabilities, gaps, and areas of non-compliance; and identify and recommend security controls, best practices, and risk mitigation strategies in alignment with industry standards and regulatory requirements.
• Generate detailed reports that provide in-depth analysis of assessment findings, including identified risks, control deficiencies, and recommended remediation actions for vendor engagements.
• Engage with customers and stakeholders to communicate assessment results, address security concerns, and collaborate on potential remediation actions for vendor engagements.
• Work as part of a cross-functional team to perform assessments on new and existing vendors to understand any potential threats to the Federal Reserve System, advising Federal Reserve stakeholders on any mitigations needed to reduce potential threats.
• Review and interpret results of vendor audit reports and attestations (such as SOC2 reports); identify deficiencies and areas for remediation and advise appropriate stakeholders on findings. May conduct or coordinate periodic vendor audits, in collaboration with Vendor Managers, Internal Audit, and other internal teams as needed.
• Provide coordination and reporting for third-party risk activities including vendor outreach related to cybersecurity breaches and zero-day vulnerabilities.
• Leads process improvement and long-term information security solution discussions and presents outcomes in written and verbal format to senior management.
• Key participant in project development surrounding new processes and the integration of new processes with existing ones. Assists in developing communications of these changes to impacted stakeholders.

Education and Experience:

• Bachelor's degree in computer science, information systems, or other related fields, or equivalent combination of work experience and education
• Should possess or be able to achieve Industry recognized certifications within the domains of information security (e.g., CISSP, GIAC, CISM, CISA, CTPRP, CCSP, etc.)
• 3 years of experience performing cyber security assessments, with a specific focus on third-party assessments and utilizing a NIST-based framework (e.g., NIST 800-53, NIST CSF).
• Experience with compliance and security audits, and risk mitigation plans. Experience developing and completing vendor risk assessments for enterprise-level vendor relationships. Understanding of various risk and security certifications and attestations (SOC2, ISO 27001, etc.). Familiarity with third party risk and governance concepts.

Knowledge and Skills:

• In-depth understanding of cyber security principles, concepts, and best practices, including risk assessment methodologies and security control frameworks.
• In-depth understanding of regulatory requirements and industry standards related to third-party cyber security, such as GDPR, CCPA, HIPAA, PCI DSS, ISO 27001, etc.
• Advanced use of cyber security assessment tools and external vendor information sources; and applying open-source intelligence methodologies.
• Excellent analytical and problem-solving skills, with a proven ability to identify and assess risks in simple assessment scenarios and propose effective solutions.
• Strong written and verbal communication skills, including the ability to effectively present simple technical information to non-technical stakeholders.

The Federal Reserve Bank is committed to a diverse, equitable and inclusive workplace and to provide equal employment opportunities to all persons without regard to race, color, religion, national origin, sex, sexual orientation, gender identity, age, genetic information, disability, or military service.
All employees assigned to this position will be subject to FBI fingerprint/ criminal background and Patriot Act/ Office of Foreign Assets Control (OFAC) watch list checks at least once every five years. All candidates must undergo an enhanced background check and comply with all applicable information handling rules.
The above statements are intended to describe the general nature and level of work required of this position. They are not intended to be an exhaustive list of all duties, responsibilities or skills associated with this position or the personnel so classified. While this job description is intended to be an accurate reflection of this position, management reserves the right to revise this or any job description at its discretion at any time.
For this job, any offer of employment is contingent upon successfully passing a two-phase security screening. The first phase consists of the satisfactory completion of a physical examination (including a drug screening), reference checks, and a security investigation consisting of credit and criminal history checks.
The second phase, which might not be complete until after you begin working at the Reserve Bank, is an additional risk-based security screening determined by the risk rating of the position. Depending upon the sensitivity of the position, this phase may include, and is not limited to, work and residency eligibility verification, and personal interviews with the candidate, references, and prior employers.
All applicants must have resided in the United States for at least three (3) years.
Full Time / Part Time
Full time
Regular / Temporary
Regular
Job Exempt (Yes / No)
Yes
Job Category
Work Shift
First (United States of America)
The Federal Reserve Banks believe that diversity and inclusion among our employees is critical to our success as an organization, and we seek to recruit, develop and retain the most talented people from a diverse candidate pool. The Federal Reserve Banks are committed to equal employment opportunity for employees and job applicants in compliance with applicable law and to an environment where employees are valued for their differences.
Privacy Notice