Required skills:

• Strong and deep information security risk identification (includes Cloud services), assessment, and risk ranking experience
• Basic understanding of the risk management concepts of Inherent and Residual risk
• Working experience with the following documents used in a risk assessment:

-SIG (Standardized Information Gathering) questionnaire,

-Penetration test

-Vulnerability test

-SOC (Service Organization Control) 1 and 2, Type 2

*Most of Freddie Mac’s vendor risk assessments are done remotely (request vendor documents) versus going to the vendor’s site*

• Experience with the following standards:

-ISO 27001 and 27002

-NIST relevant to information technology/security

-Cloud Security Alliance control matrix

-Shared Assessments SCA (will provide acronym terms) control assessment guidelines

• Experience in assessing the following risks:

-Privacy of information

-Information technology disaster recovery

-4^th party (a.k.a. subcontractor)

-Concentration

-Critical services

• Articulate in verbal and written communication
• Ability to convey technical concepts in “layman” terms
• Confident to make independent decisions
• Willingness and desire to accept other viewpoints
• Collaborate with other individuals to complete common goal

 

Nice to have:

• Financial services third-party risk management experience
• Familiar with the Office of the Comptroller’s 2013 Third-party risk management lifecycle guidance