Required skills:
- Strong and deep information security risk identification (includes Cloud services), assessment, and risk ranking experience
- Basic understanding of the risk management concepts of Inherent and Residual risk
- Working experience with the following documents used in a risk assessment:
-SIG (Standardized Information Gathering) questionnaire,
-Penetration test
-Vulnerability test
-SOC (Service Organization Control) 1 and 2, Type 2
*Most of Freddie Mac’s vendor risk assessments are done remotely (request vendor documents) versus going to the vendor’s site*
- Experience with the following standards:
-ISO 27001 and 27002
-NIST relevant to information technology/security
-Cloud Security Alliance control matrix
-Shared Assessments SCA (will provide acronym terms) control assessment guidelines
- Experience in assessing the following risks:
-Privacy of information
-Information technology disaster recovery
-4th party (a.k.a. subcontractor)
-Concentration
-Critical services
- Articulate in verbal and written communication
- Ability to convey technical concepts in “layman” terms
- Confident to make independent decisions
- Willingness and desire to accept other viewpoints
- Collaborate with other individuals to complete common goal
Nice to have:
- Financial services third-party risk management experience
- Familiar with the Office of the Comptroller’s 2013 Third-party risk management lifecycle guidance