Philips - Sr Manager - Vendor Risk Monitoring

Organizational Context of the Role/Scope

Philips engages several vendors in managing its business processes, IT systems and services. Philips therefore requires an effective program to manage and safeguard information assets managed with, and by its vendor partners.

The Senior Manager for Vendor Risk Monitoring is responsible for the assurance of adequately protecting Philips information assets managed through its Vendor Program.

The Senior Manager for Vendor Risk Monitoring :

- functions at a global level and communicates and coordinates with global virtual team including core team members from the sector, market, functions and vendor partner nominees, compliance and audit personnel, and other support staff

- creates and operates a vendor risk management and monitoring framework for information security compliance, basis corporate policies and defined information security standards

- defines security requirements that need to be included into vendor contracts and schedules

- develops vendor risk monitoring and management strategies, and influence related policies to successfully impact the vendor program

- is responsible to organize and lead the vendor audit program

- champions the importance of information security in vendor management , and drive time bound resolution of high risks

- conducts/participates in vendor governance, and reports security status to Philips Risk Monitoring and Reporting Executive Forums .

Purpose of the job

The primary goal of this function is to provide assurance of adequate protection of the Philips Information Assets entrusted with and managed through vendors.

The Senior Vendor Risk Monitoring Manager acts as the semi-independent information security risk manager, with the responsibility to monitor whether the information security requirements have been established effectively at the start of engagement with vendor, the information assets are being securely managed during the contracted period, and appropriate secure retention or disposition of information assets are in place, during or post completion of a project or end of contract period.

The sector, markets and functions need to be continually made aware of information security requirements (including changes/updates to existing information security policies) which are required to be included into the vendor processes, systems & deliverables; and addressed in the contract documentation.
Further, a monitoring and assurance program is required to identify and report issues, assess key risks to Information security, and enable drive remedial measures for risk appropriate mitigation/reduction to Philips acceptable tolerance limits.

Key areas of responsibility

- Ensures a system is established for an inventory baseline of Vendors with Business and the PGP, carrying its information classification profile

- Proactively works with business to have early insights of work that may be outsourced, and the Information Security requirements that need to be considered in vendor engagements

- Conduct programs to create awareness, and provide needful education and training on information security matters to business and support staff involved in vendor programs, and to vendor partners for a full understanding of Philips security needs.

- Works out information security requirements in consultation with compliance teams /subject matter experts (eg. PCI, SOX, Privacy, Export Controls etc.) to address regulatory needs.

- Creates, owns and maintains the content of a vendor information security baseline document to manage security settings, security requirement and controls applicable, processes, measurements, reporting and governance.

- Establish agile monitoring of vendor projects to report information security issues, key incident reporting, business continuity and handling of information security crisis.

- Establish a reporting and governance mechanism of the information security controls managed with the vendor. Deploy supporting GRC tools for Vendor Risk Monitoring/Management. Manage high risk vendors.

- Ensure a process is in place to track issues, analyze risks, report and manage all identified issues; and business and the respective vendors are actively engaged in addressing timely mitigation of risks

- Own and manage internal reviews and vendor audit programs for examining adequacy of the information security processes

- Generate presentations and timely reports regarding status of information security assurance to appropriate management forums.

- Serve as the CISO ambassador and first point of contact on all vendor related information security matters.

- Ensure the implementation of corporate information security initiatives and programs. Provide inputs to influence policy matters, to be able to run an effective information security program between Philips and its vendors.

Requirements

- 12 years of business /IT experience in a multinational enterprise environment with a minimum of 5 years in Information Security and Risk Management, and engaged in vendor contract or delivery compliance.

- Experience with Information Security Risk Management working in an IT services globally distributed delivery model, engaging global vendors

- Experience implementing a vendor risk management/monitoring capability using GRC tooling

- Experience with implementation of industry standards like ISO27001/2, COBIT, and implementing Risk Frameworks

- Understanding of Cyber Risk and Compliance

- Project management skills to effectively understand and suitably engage in Vendor projects

- Demonstrated leadership working across multidiscipline, high-performance and composite work teams/groups

- Demonstrated leadership through exemplary organization, facilitation, communication, and presentation skills; and have worked effectively at executive, senior management, and operational business levels.

Domain Specific Details

- Expertise in Information Security

- Expertise in Risk Management

- Applied knowledge on industry standards like ISO27001/2, COBIT

- Understanding of Contracts, SOWs, Vendor evaluation

Education Required:

Bachelor's degree in computer science, business administration, engineering or a related Discipline with an information technology focus.

- Certification desirable : CISSP, CISM, CCNP, GSEC or similar

Competencies

- Ability to lead effectively , interact with and influence business, market, and functional managers, vendor representatives on information security needs and manage conflicts

- Ability to focus on the business needs and changing IT/consumerisation landscape while maintaining a level of acceptable risk.

- Ability to shape, maintain and administer the corporate-wide vendor information security risk reporting and management program through multi-functional/multi-disciplinary teamwork (“Teaming to Excel”)

- Ability to operate under pressure while establishing risk-sensitive priorities and maintaining time effectiveness for the global 24x7 environment.

- Ability to understand, simplify and teach others on security policies, and security threats; and lead them to risk sensitivity and control requirements.

- Good knowledge & experience in information security practices, compliance requirements, & control technologies for protecting all classes of information

- Superior analytic skills brought to bear on timely and effective information collection, analysis, and reporting. Able to motivate and inform clear decision making through audience-appropriate reporting