Third-Party Risk Principal Cybersecurity Audit Supervisor

Description

As a Third-Party Risk Principal Cybersecurity Audit Supervisor in the Information Systems and Technology Audits Division of the Audit Department, you will be performing risk-based due diligence audits of agency third-party's technology, controls, and policies. This team member will be responsible for understanding and assessing cybersecurity risks associated with third parties that the agency relies upon and/or shares data with.

The Third-Party Risk Principal Cybersecurity Audit Supervisor will be a key partner with departmental stakeholders across the organization who will assess risk throughout the third-party's lifecycle in an open and collaborative effort to ensure that the agency is appropriately mitigating its risk(s). Specific responsibilities include:

• Demonstrate the ability to work in a fast-paced environment.
  
  
• Collaborate with the Chief Information Security Officer, as well as the Threats and Mitigation and Cyber System teams in the Technology Department to enhance and further develop the program and support adherence to Cybersecurity policies, processes, standards, and systems. In addition, support the overall goal of bolstering the agency cybersecurity posture by building and maintaining relationships across third-party engagements.
  
  
• Support innovation through process improvements and updating team documentation and procedures; demonstrated ability to effectively assign resources, supervise audits and develop staff; engage with Procurement, Risk SMEs, and Business Managers to develop criteria for monitoring suppliers' risk and performance effectiveness.
  
  
• Perform audits of external third-party operations; obtain and evaluate third-party's cybersecurity controls and ensure compliance with Port Authority policies, standards, and guidelines as well as industry best practices; articulate risks and control weaknesses as well as identify potential options for remediation or compensating controls.
  
  
• Perform vulnerability scans of third-party environments and analyze the scan data; evaluate independent auditor assessments such as SSAE 18 SOC 2 Type II reports and follow up on recommended remediation steps.
  
  
• Track and monitor the status of each due diligence review and communicate the status with management and key stakeholders on a regular basis; participate in the timely and accurate notification and escalation of actual or potential risks involving third parties; support the identification and maintenance an on-going list of all critical suppliers while providing status reporting to key stakeholders.
  
  
• Demonstrates effective team collaboration.
  
  
• Demonstrates leadership qualities and strong negotiation and persuasion skills.
  
  
• Manage performance, establish performance goals, prepare performance evaluations and development plans including training for rapid changes in technology environment.
  
  
• Ability to effectively build relationships and interact with internal and external partners at all levels.
  
  
• Thorough understanding of Cyber Security risk and mitigation
  
  
• Thorough understanding of internal controls practices and system controls
  
  
• Knowledge of professional auditing standards (IIA/ISACA) and knowledge of CIS Top 20, COBIT, NIST, PCI, ISO, HIPAA, CJIS, COSO frameworks as well as Cloud Security Alliance Cloud Controls Matrix
  
  
• Demonstrates excellent technical, analytical, problem solving and organization skills; project management skills.
  
  
• Ability to identify gaps and non-compliance with policies and standards.
  
  
• Ability to utilize scanning tools and form conclusions.
  
  
• Ability to read and analyze system configurations.
  
  
• Ability to review design documentation to identify controls for enhancing security.
  
  
• Possess strong organizational skills and effective oral and written communication skills.  
  
  
• Strong attention to detail and ability to closely follow defined processes.
  
  
• Ability to meet deadlines, work independently and prioritize work.
  
  
• Knowledge and willingness to learn cybersecurity and risk requirements, controls, standards, and PA policies and procedures.

Note - The selected candidate must be able to travel to Port Authority facilities as well as PA Auditee locations and offices as needed.

Qualifications:

Candidates must possess the following qualifications to be eligible for this position:

• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or related field
  
  
• Three or more years of experience in risk management, auditing and/or a cyber-related position

Desired:

Ideal candidates will present the following profile:

• Professional certifications desirable, such as CRMA, CRISC, CISA, CISSP, CISM

How to Apply:

Interested candidates should apply to this job by clicking on the "Apply Now" button and submitting a combined cover letter and resume. The Port Authority of NY & NJ welcomes veteran and military spouse applications.

Only applicants under consideration will be contacted.

About The Port Authority:

Founded in 1921, the Port Authority of New York and New Jersey builds, operates, and maintains many of the most important transportation and trade infrastructure assets in the country. The agency's network of aviation, ground, rail, and seaport facilities is among the busiest in the country, supports more than 550,000 regional jobs, and generates more than twenty three billion in annual wages and eighty billion in annual economic activity. The Port Authority also owns and manages the 16-acre World Trade Center site, where the 1,776-foot-tall One World Trade Center is now the tallest skyscraper in the Western Hemisphere.

Equal Opportunity Employer

The Port Authority of New York & New Jersey/Port Authority Trans-Hudson (PATH) is an Equal Opportunity Employer.