Global Supplier Services - Supplier Assurance Services - Cloud Assessment Lead
Req #: 190021815
Location: Seattle, WA, US
Job Category: Technology
JPMorgan Chase & Co. (NYSE: JPM) is a leading global financial services firm with assets of $2.6 trillion and operations worldwide. The firm is a leader in investment banking, financial services for consumers and small business, commercial banking, financial transaction processing, and asset management. A component of the Dow Jones Industrial Average, JPMorgan Chase & Co. serves millions of consumers in the United States and many of the world's most prominent corporate, institutional and government clients under its J.P. Morgan and Chase brands. Information about JPMorgan Chase & Co. is available at www.jpmorganchase.com.
The Corporate Third Party Oversight (CTPO) team is responsible for developing, deploying, overseeing and ongoing reporting of a program that drives the effective use of suppliers to accomplish JPMorgan Chase's strategic goals. This includes building awareness of the program at the firm and ensuring consistency globally across both the Lines of Business (LOBs) and corporate groups. It also includes understanding and dissemination of regulatory requirements and reporting to regulators on the program and status. The major focus of the program is to ensure our vendors are performing to the same high standards that JPMorgan Chase holds itself accountable to including client service, quality, control, regulatory compliance, business resiliency and protection of information.
The Supplier Assurance Services (SAS) team is part of the JPMC Corporate Third Party Oversight (CTPO) Program. The team provides IT risk management oversight for suppliers in accordance to JPMorgan Chase (JPMC) Third Party Oversight (TPO) Standards. The SAS team supports all Lines of Businesses (LOBs), and regions globally.
As a Supplier Assurance Services (SAS) Cloud Security Assessment Lead, this position is responsible for performing technical risk and control assessments of supplier environments, including infrastructure/application stacks and other technologies to ensure compliance with JPMC Corporate Policies & Standards and to validate that technical risks are managed and security controls are implemented. The cloud security assessment team will partner with Cybersecurity & Technology Controls and Lines of Business (LOBs) to focus on performing cloud security assessments of suppliers that provide and consume cloud services throughout the supply chain. Additional responsibilities include, but are not limited to the following:
* Engage with stakeholders for suppliers to ensure compliance with all required assessments
* Review and evaluate completed questionnaire(s) and supporting materials provided by suppliers to ensure completeness and alignment with JPMC standards and practices
* Manage all aspects of the risk assessment process and lead onsite assessments of suppliers, providing the overall technical, risk and security expertise, with a focus on cloud security
* Identify inadequate controls and evaluate compensating/mitigating controls in order to determine the associated residual risks
* Document identified issues, compensating controls and residual risks in a report and work with the LOB Delivery Manager to resolve issues through control breaks, Action Plans (APs) or Risk Acceptances (RAs)
* Validate evidence from suppliers substantiating that issues have been adequately remediated, before closing breaks, APs or RAs
* Identify opportunities for process improvements to deliver increasing operational efficiency in processes related to assessment and issue management
* Identify opportunities for improving suppliers risk and controls posture as well as JPMC's CTPO and SAS processes, including expanded monitoring, reporting, etc.
* Support internal education and best practices sharing with peers and colleagues, as well as supplier education and awareness
* Experience performing technical risk and control assessments to validate evidence of security control requirements, identify security control breaks and management of security control break remediation
* Experience using cloud services (e.g., IaaS, PaaS, SaaS, etc.) offered from public cloud suppliers (e.g., AWS, Microsoft Azure, Google Cloud, Salesforce, etc.)
* Experience using a broad set of technologies throughout the infrastructure and application stacks (e.g., servers, operating systems, applications, databases, hypervisors, virtualization management, containers, security, compute, network, storage, etc.)
* Understanding of a broad set of security best practices (e.g., application security, secure software development lifecycles, risk management, data protection, encryption & key management, identity and access management, security operations, security governance, network security, etc.) and technologies, with a focus on virtualization and cloud
* Understanding of network and host based security technologies, including firewalls, web application firewalls, intrusion detection/prevention, data loss detection/prevention, threat protection, anti-malware, file integrity monitoring, configuration management, etc.
* Understanding of security testing methods and technologies, including penetration testing, web application security assessments, vulnerability assessments, etc.
* Understanding of enterprise IT security risk assessments and related frameworks (e.g., SOC 2, ISO 270XX, NIST CSF, NIST 800-XX, COBIT, etc.) and industry best practices
* Understanding of national and international laws, regulations, policies and ethics related to financial industry cybersecurity
* Understanding of Cloud Security Alliance (CSA) framework, CSA Cloud Control Matrix (CCM) and CSA Consensus Assessments Initiative Questionnaire (CAIQ)
* Proficient verbal and written communication skills, including the ability to independently and effectively participate in strategic collaborations with peers across the firm and present to senior management
* Strong organizational skills with an ability to multitask effectively and deliver against commitments
* Bachelor's degree in a relevant discipline preferred
* Cloud security certification(s) (vendor neutral) (e.g., CCSP, CCSK, etc.) required
* Cloud security certification(s) (vendor specific) (e.g., AWS Certified Solutions Architect, etc.) preferred
* ability to travel at least 25% of the time
About JPMorgan Chase
JP Morgan Chase is a financial services provider that offers investment banking, asset management, treasury, and other services.