The primary responsibility of the Third-Party Security Analyst is to support management of third party security risks for all Legal & General third-party suppliers.

• Classify third party suppliers based on the sensitivity of data they have access to and their overall risk posture, and periodically review and reprioritise the assessment schedule accordingly to help ensure the highest risk suppliers are assessed.
• Perform information security assessments of third party suppliers following the Legal and General control framework to help ensure third party suppliers apply security controls in adherence with Legal & General policies and standards.
• As part of the third party information security assessments, conduct IT security control testing and evidence review and provide associated improvement recommendations to help ensure controls are designed and operating effectively.
• Liaise with the third party suppliers to track the progress of remediation actions against agreed timelines and escalate any delays or roadblocks to the Security Supplier Governance Manager in order to ensure any outstanding risks are pro-actively managed.
• Liaise with Group IT control owners and review Legal & General policies and procedures to effectively respond to due-diligence requests/ assessment questionnaires sent to Legal and General by its clients and business partners
• Monitor and prepare reporting for key risks and performance indicators of third-party service providers to help ensure that trends and risks are easily identified and escalated to management.
• Support the Security Supplier Governance Manager in overseeing the delivery of outsourced delivery services by the Tier 1 and Tier 2 security suppliers by monitoring and reporting compliance to Service Level Agreements (SLAs).

Qualifications:

Education

• Bachelor’s degree (preferred but not essential) or equivalent experience in computer science, IT engineering, or related field

Certification

• Information Security and /or Information Technology industry certification (CISSP-ISSAP, CISA or equivalent) strongly preferred
• Member of Institute of Information Security Professionals (M.IISP) or have the qualification, skills and experience to become a member

Knowledge:

• Strong understanding of cyber controls and cyber risks to identify and evaluate control effectiveness and identify any potential gaps between cyber risks and existing cyber controls
• Basic understanding of various cyber technologies such as endpoint protection, DLP, insider threat protection and mobile device protection
• Ability to engage with third-party suppliers to perform control-level technical cyber risk assessments
• Ability to effectively communicate information security risks to business stakeholders and third-party service providers
• Organised with a proven ability to prioritise workload, meet deadlines, and utilise time effectively
• Strong analytical skills
• Have an eye for detail

Experience:

• Prior work experience in information security is essential
• Hands-on experience in performing control-level technical cyber risk assessments
• Experience in managing third-party relationships is essential
• Experience in financial service industry is preferred but is not essential

Leadership:

• Ability to interact with senior security stakeholders and report on programme effectiveness

Whatever your role, we reward ability, performance and attitude with a package that looks after all the things that are important to you. Our employees have a wide range of benefits including a generous pension scheme, life assurance, 25 days’ holiday, private medical insurance, discretionary performance related bonuses, paid overtime, a variety of share schemes, discounts at both a huge range of high street stores and our own great products, your hard work will be rewarded when you join us.