BNY Mellon Careers
Senior Specialist, Technology Risk Management
The role is part of the Technology Risk Management (TRM) organization at Bank of New York Mellon. TRM is comprised of 6 main teams:
- Risk and Control Governance
- Technology Risk Management (Application Assessments, Infrastructure Assessments, Service Provider Management & Risk Strategy)
- Information Security
- Identity and Access Management
- Vendor Information Risk Management
- Chief Administrators Office
The role will form part of the Vendor Information Risk Management team responsible for executing and overseeing the risk management framework in relation to vendor risk management and third party governance. The team has a global footprint.
Execute risk-based assessments of the company’s vendors, leveraging control information in various formats and from different sources, communicating with both stakeholders and vendors, and reporting results.
- Perform and complete new and existing assessments on vendors and 3rd parties. Leveraging BNY Mellon methodology that includes questionnaires, evidence requirements, and interviews with vendors and internal stakeholders to appropriately assess controls relating to Information and security risk management, privacy and security policies and governance, organizational security, asset management, physical and environmental security, communications and security operations management, access controls of systems and applications, cryptography and encryption controls, information systems acquisition development and maintenance, third party relationship management, vulnerability and threat management, incident event and communications management, business continuity and disaster recovery, compliance with regulatory and industry standards, cloud controls relating to infrastructure, platform, and software as a services
- Perform evidence based assessments have strong working knowledge on reviewing and identifying gaps relating to SOC 2 reports, Dataflow and network diagrams, Information security, privacy, and risk management policies, Datacenter security and environmental controls, Identity and access controls, Vulnerability management process and latest vulnerability reports, current application and network penetration testing summary reports, business continuity and disaster recovery plans, tests, and results, system development lifecycle and change control processes, incident management and response plans, malware prevention and detection controls in place, patch and configuration management for the applications, supporting databases, infrastructure, and operating systems, network and server hardening standards in place and compliance reports of standards, distributed denial of service controls, information security and risk management organization charts, third party risk management program in place to assess vendors, service providers, and suppliers
- Representative for vendor assessments, gaps, risks, controls, and status of posture for current and new vendors.
- Develop and maintain strong relationship with key departments, particularly (Corporate Senior Information Risk Officers (CSIRO), Relationship Managers, Legal and Procurement, who are actively involved in Vendor on-boarding and overall management.
- Continuously monitor and ensure a high level of quality and accuracy are maintained on reviews, work papers, risk statements, and management reports.
- Continuously strive to improve the methodology and processes around Vendor Risk Assessments.
- Create and provide reports of vendors on a monthly, quarterly, and annual basis relating to vendor control posture, statistics on types of vendors, and vendor risks.
- Stay abreast of changes relating to global regulatory requirements regarding 3rd party Vendor Risk Management.
- Risk reporting and metrics on assessments of new and existing vendors.
- Vendor risk assessment alignment and partnership with key stakeholders.
Minimum of 5 years conducting 3rd Party vendor risk assessments within the financial markets, with at least 7+ years of working experience in risk management.
- Subject matter expert on ISO27001:2013, ISO 22301, NIST 800-53 Rev 4, NIST 800-161, NIST Cybersecurity Framework controls.
- Working knowledge of Archer GRC is highly advantageous.
- Strong experience with security availability, privacy, processing integrity, confidentiality, and vulnerability management, and general IT controls, specifically in banking and financial industries.
- Pragmatic approach and excellent verbal and written communication skills. The ability to challenge, explain complex issues and risk effectively.
- Experience balancing risks with controls.
- Open minded, willing to try new ideas.
- Organized, methodical and analytical.
- Undergraduate degree preferred.
- CISA, CISM, CRISC or CISSP required.
If you apply for this role this means you agree with the following statement:
Through my application for a role with BNY Mellon (Poland) sp. z.o.o. (the Company) I hereby authorize the Company to process my personal data for the purposes of recruitment. Furthermore I declare that I am aware of the voluntary submission of data and I am informed about the right to access the data and the right to correct it, pursuant to the Personal Data Protection Act of 29 August 1997 (Journal of Laws [Dz.U] No. 133, item 883)”. I authorise the Company to process my personal data for future recruitment processes.
Furthermore, I authorize BNY Mellon and its’ affiliates, Taleo (UK) Limited to process my personal data.
BNY Mellon and affiliates registration details.-
BNY Mellon (Poland) sp. z.o.o Registered office – Swobodna 3, 50-088 Wroclaw
The Bank of New York Mellon (International) Limited – 1 Canada Square, London, E14 5AL
The Bank of New York Mellon SA/NV – 46 Rue Montoyerstraat, B-1000 Brussels, Belgium
Taleo (UK) Limited Registered office - 78-586 Chiswick High Road, London W4 5RP, United Kingdom,
Please note that during the recruitment process you may be asked to provide further information and supporting documents. The information provided may be verified and reviewed, to the extent permitted by the law, as to their veracity and accuracy.
For over 230 years, the people of BNY Mellon have been at the forefront of finance, expanding the financial markets while supporting investors throughout the investment lifecycle. BNY Mellon can act as a single point of contact for clients looking to create, trade, hold, manage, service, distribute or restructure investments & safeguards nearly one-fifth of the world's financial assets. BNY Mellon remains one of the safest, most trusted and admired companies. Every day our employees make their mark by helping clients better manage and service their financial assets around the world. Whether providing financial services for institutions, corporations or individual investors, clients count on the people of BNY Mellon across time zones and in 35 countries and more than 100 markets. It's the collective ambition, innovative thinking and exceptionally focused client service paired with a commitment to doing what is right that continues to set us apart. Make your mark: bnymellon.com/careers.
Risk and Compliance provide risk and compliance services across all BNY Mellon businesses. Organizationally, Risk and Compliance includes the following groups: Risk Management, Compliance, Global Corporate Security, Information Risk Management and Global Business Continuity. Risk Management oversees and delivers risk services and ensures new business risks are reviewed and approved. Risk Management is organized through Chief Risk Offices for each core business and critical operation. Risk managers provide shared support to BNY Mellon for operational risk services for Global Corporate Trust, Depositary Receipts, Treasury Services and Global Operations in EMEA. Compliance helps ensure BNY Mellon's businesses maintain appropriate processes to comply with applicable laws, regulations, BNY Mellon policies and ethics. This is accomplished through business- and business partner-specific teams of professionals, under centralized global management.
BNY Mellon is an Equal Employment Opportunity Employer.
Primary Location: Poland-Dolnoslaskie-Wroclaw
Internal Jobcode: 85301
Organization: Technology Risk Mgmt-HR06032
Requisition Number: 1812491