IT Third Party and Client Security Assurance Analyst

The use of third parties is an essential element in AECOMs service delivery model and creates the need for management oversight and continuous monitoring of their security capabilities and performance. AECOM works with many third parties (e.g., vendors, partners, suppliers) each of which poses security, compliance and operational risks. AECOM is recruiting Third Party and Client Security Analysts to support the centralized Third Party and Client Risk Management Function.

In this role, the analyst is expected to support the framework, operating model and supervise processes to ensure: (1) third parties are compliant with AECOMs security standards and (2) that AECOM provides the same type of assurance to our clients that its security program is compliant with regulatory requirements, standards and client expectations.

Responsibilities & Duties

• Evaluate requests for third party engagements
• Conduct initial and periodic third-party risk assessments
• Collaborate with business requestors, procurement, legal and other teams to ensure questionnaires are completed timely
• Collaborate with security/IT team members to ensure a full understanding of security controls, technology and architecture
• Review responses to security questionnaires, SOC 1 and SOC 2 assessment reports received from third parties to identify potential risk to AECOM
• Identify gaps/issues based on third party and/or client standards relative to security postures
• Devise remediation plans and monitor to ensure adherence by third parties and AECOM security/IT
• Manage, enhance and implement the framework, policies, procedures and program governance to ensure alignment of TPRM with industry best practices and regulatory requirements (NIST, ISO27001, FedRamp, etc.)
• Develop tactical and strategic plans to evolve the third-party risk management program to ensure compliance with new regulations and alignment with industry best practices
• Triage/complete requests from AECOM clients regarding AECOMs control environment
• Manage AECOMs response to existing and potential business partners/clients/third parties security due diligence (questionnaires, site visits, etc.)
• Assistance with RFI/RFP processes and responses to client inquiries, ensuring comprehensive risk management throughout the process
• Review third party and client contracts to validate appropriate security requirements and commitments

• Bachelors degree in information technology, Information Security, Risk Management or a related field
• 2-3 years of career experience related to information security, IT, audit, third party and/or risk
• Strong understanding of risk management principles and security frameworks (e.g., NIST, ISO 27001, SOC2, PCI-DSS)
• Extensive experience in evaluating vendor security and compliance in relation to regulatory and industry standards.
• Familiarity with industry GRC tools such as UpGuard, Audit Board, ServiceNow etc. is a plus/desirable
• Strong prioritization and organizational skills
• Ability to develop, document and maintain procedures
• Strong verbal communication with the ability to advise management regarding third party and client risk management
• Ability to work independently and collaborate with cross-functional teams

• Ability to effectively communicate and collaborate within a specific group of internal and external customers. (Communication)
• Ability to maintain good customer relationship with the ability to proactively support customer needs and requirements. (Customer Service)
• Ability to be thorough and meticulous in completing assigned tasks and identifying errors, duplicates & discrepancies through defined methods. (Attention to Detail)
• Ability to identify, assess and resolve simple to moderate issues by following defined policies and procedures. (Problem Solving)