This position will report to the Director of Information Security who oversees the Firm’s Information Security, Data Governance and Privacy program. The Risk and Compliance Specialist will work closely with the Director of Information Security to ensure that the Firm has all necessary policies, standards, procedures and process in place in regards to data confidentiality, integrity and availability as required by clients and regulatory requirements.

The Risk and Compliance Specialist will be responsible for working with information security team, consultants, service providers and staff to develop, exercise and maintain the Firm’s Information Security, Privacy Program and develop/maintain Data Governance for all data within the Firm.

This is a full time remote position, work can be done remotely from California, Washington DC or New York, the working hours are based in Eastern USA time zone.

Information Security

• Maintains all policies, standards and procedures as it relates to Information Security. Create and updates all documents related to ISO27001 and assist with ISO27001 audits. Participate in all necessary meetings throughout the year, maintain meeting agendas and minutes.
• Ability to read, understand, and reference the policies, standards, and guidelines and identify instances of non-conformity.
• Review and complete clients’ security questionnaires and participate in audits. Track internal/external audit security findings and remediation plans.
• Collaborate with security analysts and specialist to ensure audits are conducted in time manner and ensure compliance of polices are followed.

Privacy

• Develops, implements, and updates the Firm’s privacy policies, procedures and process in coordination with senior management, consultants, information technology staff, legal counsel and risk committee.
• Ensure that all Milbank’s offices around the globe have a privacy program in place and follows the same policies, procedures and process.
• Must have strong practical knowledge of regulatory privacy laws in US (CCPA, New York Shield and others) and in other countries (such as GDPR and others).
• Delivers or arranges for initial and ongoing information privacy training to all staff.
• Performs periodic risk assessments and ongoing compliance monitoring.
• Works with relevant departments to ensure the Firm complies with appropriate information privacy contract provisions, specifically business associate agreements, sub-business associates, delegates, vendors, and other relevant parties.
• Participate in the development and review of business associate and qualified service organization agreements to ensure that all privacy concerns, requirements, and responsibilities are addressed.
• Experience with privacy platforms such as Onetrust, TrustedArc and others.

Data Governance

• Develop, implement and manage data governance policies, procedures and process as it relates to all data to ensure availability, usability, integrity, and security of the data employed in the Firm.
• Work with business units and IT personnel to discover and identify all sources and location of data (structure and non-structured data) as well as flow of data within and out of the Firm.
• Must have prior experience with data mapping.
• Identify old data and create life-cycle governance around all data in the Firm.
• Create standards according to policies and procedures set forth by Milbank’s Risk Management Committee in regards to transmission and storage of data in all Milbank’s platform.
• Create policies around access to Milbank’s data by third party.

Third-Party Vendor Management

• Interact with external parties such as contacts from the Firm’s third-party assessment platform as well as various current or future vendors. Manage the risk exposure from engaging third-party service providers.
• Identifying, analyzing, reporting on, and ultimately mitigating risks that are introduced by relationships with third parties throughout the relationship life cycle.
• Ensuring compliance with internal policies, standards, and procedures around third-party risk management as well as compliance with various laws and regulations.
• Being a champion of controls and processes related to vendor onboarding activities such as NDAs, MSAs, Technical Security Risk Assessments, Risk Assessment Reports, and Risk Acceptance by working closely with others at the Firm to promote and ensure security awareness and understanding of the third-party risk program’s requirements.
• Attending technical security risk assessments and capturing the risks and compiling risk assessment reports.
• Initiating and executing third-party risk assessments using the Firm’s platform which collects assessments such as SIG Core or Sig Lite as well as GDPR Privacy assessments to identify security weaknesses.
• Reviewing and assessing the responses to the assessments, and following up on responses that have a pronounced level of risk; this is conducted when onboarding but is also an ongoing monitoring activity.
• Ensuring that remediation plans are documented, that monitoring action plans to resolve identified weaknesses are in place, and to monitor through to resolution.
• Collecting and reviewing third-party documents such as SOC2 reports, capturing risks, and following up on them.
• Initiating NDAs and other documents with vendors, and following through until the final fully executed documents are completed.
• Monitoring our Firm’s own security rating from third-party platform and identifying associated risks.
• Experience with privacy platforms such as Onetrust VRM, Prevalent, Priva, ThirdPartyTrust and others.

• Bachelor’s degree with a minimum of 6 years' of combined experience with information security, privacy and third-party management programs in a global enterprise.
• Legal background is a plus (JD or equivalent prior legal experience or education).
• Strong project management skills, including the ability to work across multiple teams and business units.
• Must be able to create and review detailed documents including technical documents as needed.
• Experience ISO27001:2013, ISO22301, SSAE 18 SOC 2 criteria, COSO framework, HIPAA, NIST.
• Industry certifications such as: CISSP, CRISC, CISM, CTPRP, CISA and CIPP.
• Ability to challenge responses to security assessment questionnaires in a tactful manner.
• Ability to read contracts and use Track Changes in Word.
• Ability to prioritize workload and meet deadlines.
• Should have excellent skills in Excel, Word, PowerPoint, sometimes Visio and should have exceptional organizational skills when it comes to managing Outlook.
• Excellent oral and written communication skills.
• Extensive interpersonal skills and the ability to develop and maintain stakeholder relationships at all levels.
• Organizational skills and aptitude in order to accurately track multiple concurrent workstreams.
• Should be self-motivated and independent and also understand written or and verbal direction.
• High level of energy, creativity, flexibility and dedication.
• A willingness to focus and commit to ensure the Firm has a comprehensive Information Security, Privacy program and Data Governance.
• Attention to detail is paramount: Accuracy, Consistency, and Completeness is necessary.
• Ability to make good decisions but also have the willingness to seek guidance when unsure.
• Must be available to report to work on their regularly scheduled days and at the scheduled hour.
• Must also be willing to work off hours when necessary.
• Ability to travel within USA and abroad when business travel resumes. Travel will be no more than 20% a year, depending on the distance (if located in NY or DC, it could be more).