Position Summary:

The Assistant Vice President (AVP) Third Party Assurance (TPA) will be the responsible executive within the Office of the Chief Information Security Officer (OCISO) charged with planning, implementing and overseeing a comprehensive cybersecurity risk assurance program for FRS' third parties.

The Executive will establish a best in class Third Party Cybersecurity Assurance function that is in alignment with the FRS' overall vendor management practices and Critically Important Vendor (CIV) processes. This role reports up to the (System Chief Information Security Officer) and will be required to work closely with FRS Procurement Offices, Legal Departments, Information Security Officers and Risk Officers.

In this capacity, the AVP, Third Party Assurance will:

• Develop and maintain Third Party Assurance security policies, standards, and procedures (toolkit) for new and existing vendor cybersecurity reviews to ensure that the FRS Leadership has the proper oversight of existing and emerging cybersecurity risks based on the nature of third party business relationships.
• Direct the activities of third party cybersecurity assessments for National IT vendors.
• Partner with appropriate stakeholders to facilitate the execution of vendor reviews aligned to that business unit strategy via a risk-based, threat driven, prioritization approach.
• Partner with Reserve Bank Third Party Risk Management Programs to ensure effectiveness and compliance with the requirements in accordance to SAFR Policy, standards, and processes.
• Prepare third party cybersecurity assurance metrics and reports for the System CISO and FR Senior Leadership.

The successful candidate will be an experienced information security leader who has experience in Vendor Management, Security Assessment, and Security & Risk management.

Position Responsibilities:

• Collaborate with Contract Managers and Executive Level Management to ensure vendor partners are effectively managed and contracts are performed within established security requirements.
• Develop processes by which vendors are evaluated and selected in accordance with Security Assurance for the Federal Reserve (SAFR) policy, standards, and industry best practices.
• Contribute to design and implementation of reports on the measurement of third-party risk management program effectiveness, vendor management metrics, and KRIs for inclusion in OCISO and enterprise risk management governance reporting as well as for line of business reporting as appropriate.
• Collaborate with stakeholders and IT/IS partners to contribute to the definition and enhancement of tools and automation that support the management of the third-party risk management program.
• Monitor results against goals; proactively reviews results to preempt customer dissatisfaction.
• Regularly collaborates with Contract Managers and Executive Level Directors on potential program improvements.
• Promote collaboration across department/division/organization as part of matrix management.
• Knowledge of information security laws and regulations, including federal and organizational policies pertaining to vendor and third party security risk management (e.g., FedRAMP, ISO 27000, NIST Risk Management Framework).
• Maintains technical proficiency by fostering relationship with third party, vendor, and external risk management councils, organizations, and competency centers.
• Ability to communicate security and risk-related concepts to technical and non-technical audiences at the peer, subordinate, and executive levels.
• Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and associated controlling software.
• Provides leadership, motivates staff, and promotes the field of Information Security Risk Management. Makes broad work assignments and reviews results; selects new employees; ensures thorough training; rates performance; makes decisions/recommendations regarding staffing levels, promotions, salary adjustments, disciplinary actions, etc. Includes managing staff at remote sites.