Senior Tech Risk Management Analyst - TPRM

The Global Information Security (GIS) Sr Technology Risk Management Analyst will collaborate with peers in GIS
and across the enterprise to ensure that Information Security risks are properly identified, assessed, addressed,
and communicated in support of the overall GIS Third Party Risk Management (GIS TPRM) program. The Sr
Technology Risk Management Analyst role will assist with the continuous improvement and daily operation of the
GIS TPRM program, including maturation of assessment methods, supporting instrumentation, registration and
tracking of InfoSec risks, maturation and operation of an information management system (e.g., a GRC solution) to
support the function, and communicating InfoSec risks to CME Group s broader Enterprise Risk Management
(ERM) function.
Responsibilities Include:
Work with peers to identify and assess Information Security risks
Conduct risk assessments using CME Group s established GIS TPRM Risk Management assessment process
Collaboratively author and edit various assessment related documents, including Deficiencies Observed,
Summary of Work, Risk Advisory Memos, exceptions from various GIS technical policies and standards,
and other related output resulting from risk assessment activities
Assist the GIS Third Party Risk Management function with:
o Maturation and continued deployment of an information security risk management system (e.g.,
a GRC solution) that will drive efficiencies and automation in the management of InfoSec risks,
rollup into ERM, and the registration, tracking, reporting, and re-assessment of identified InfoSec
risks
o Continuous improvement and maturation of the methods, instrumentation, training,
documentation, and processes required to effectively manage third party technology risks
o Providing advisory and consulting services to the Information Technology Management Team
related to InfoSec risks, treatment strategies, and decision-making
o Assist in the preparation of management reports, presentations, operational metrics, and other
documentation required to support governance functions
o Promoting a culture of risk awareness and accountability through training, education, and risk
management consultative support

Problem Solving:
Objectively assess the impact, likelihood, velocity of identified risks
Objectively advise on any number of technical controls that will mitigate risk and assist stakeholders with
remediation knowledge gaps
Mediate differing perspectives on risks between a variety of Technology Division stakeholders
Drive objectivity and build consensus among stakeholders with widely divergent perspectives and drivers
Rapidly analyze complex technical details
Synthesize detailed analysis into a big picture view that can be easily understood by non-technical
stakeholders to support risk-based decision-making for senior managers within the Technology Division

Decision Making:
Recommends risk treatment decisions
Recommends remediation actions when risk mitigation is desired
Recommends improvements to methods, instrumentation, training, documentation, and processes

Recommends solutions for automating and streamlining GIS TPRM risk management practices
Advises on GIS TPRM risk management program, policies, standards, and procedures

Working Relationships:
Communicates regularly with cross-functional peers inside and outside of the Technology Division,
including Legal, Information Governance, Global Operations, Global Assurance (Internal Audit), Enterprise
Risk Management, Third Party Risk Management, and other business unit leadership
Interacts occasionally with industry peers from other Systemically Important Financial Market Utilities
(SIFMUs), research organizations, solution providers, etc.

Required Experience:
Bachelor s Degree
Minimum of 4 years of experience in publicly traded companies or finance/technology industry
operations with Third Party Risk Management experience
Experience in at least two of the following: InfoSec (Operations, Program Management, Governance, Risk
Management, etc.), Enterprise Architecture, Identity & Access Management, Application Development,
Infrastructure & Operations, IT Compliance, or Internal Audit
Experience working with industry-based information security and/or control frameworks (NIST Cyber
Security Framework, ISO 27002, CobIT, etc.)
Experience working with information security standards or cyber security standards (e.g., NIST 800-53)
Demonstrable knowledge of a broad range InfoSec technologies and practices
Demonstrable, impeccable writing skills for technical, management, and executive audiences
Possesses strong verbal communication skills/presentation skills

Additional preferred experience:
Demonstrable knowledge of InfoSec risk management methods and practices
Experience with operating Governance, Risk, and Compliance (GRC) solution s - Third Party Risk
Management functionality
Experience leading and working with global teams
Professional certification in InfoSec or Risk Management (such as CRISC, CISM, CISSP, CGEIT, CISA, etc.)

CME Group : Where Futures are Made

CME Group is the world s leading and most diverse derivatives marketplace. But who we are goes deeper than that. Here, you can impact markets worldwide. Transform industries. And build a career by shaping tomorrow. We invest in your success and you own it - all while working alongside a team of leading experts who inspire you in ways big and small. Problem solvers, difference makers, trailblazers. Those are our people. And we re looking for more.