Senior IT Risk and Compliance

The Group:
The Information Security department is responsible for setting enterprise security policies and standards that are designed to protect the confidentiality, integrity and availability of Morningstar information. The security team offers guidance and technical expertise in areas like application security, policies and procedures, disaster recovery and compliance/regulation. We analyze emerging security threats and conduct risk and vulnerability assessments to ensure that our information remains secure.
The Role:
The Information Security Team is looking for a Senior Analyst Third-Party Vendor Risk Analyst to join the IT Compliance Team. The Senior Third-Party Vendor Risk Analyst will help shape the Information Security Team's third party vendor risk management program. This individual will serve as a subject matter expert for third party vendor risk management, perform vendor risk assessments, propose updates to expand the program's capabilities, increase participation in the program and drive process improvements. This position is based in either our Chicago or Toronto office.
Responsibilities:

• Partner with the business to execute vendor risk assessments
• Monitor internal SLAs to ensure we provide timely service to our internal stakeholders
• Serve as a subject matter expert for security vendor risk management
• Collaborate with the procurement department and other internal stakeholders to improve and expand the vendor risk management program
• Review third party security documents (SOC2, security policies, data flow diagrams, etc.)
• Perform contract reviews of proposed changes to security requirements in our third party contracts
• Liaise with third party vendors as required

Requirements:

• A bachelor's degree and 5+ years' experience include 3+ in a vendor risk related role
• Experience serving as the subject matter expert for security vendor due diligence
• Experience performing contract review of security terms
• Familiarity with common compliance standards (SOX, SOC2, PCI-DSS, GDPR etc.)
• Familiarity with security frameworks (ISO 27001, NIST, etc.) and general security concepts
• Strong organizational skills and the ability to multitask and switch priorities with short notice
• Strong business analysis, research and analytical skills
• Excellent communication skills

Base Salary Range: $90,000 - $132,711
Bonus: 12.5%
If you receive and accept an offer from us, we require that personal and any related investments be disclosed confidentiality to our Compliance team (days vary by region). These investments will be reviewed to ensure they meet Code of Ethics requirements. If any conflicts of interest are identified, then you will be required to liquidate those holdings immediately. In addition, dependent on your department and location of work certain employee accounts must be held with an approved broker (for example all, U.S. employee accounts). If this applies and your account(s) are not with an approved broker, you will be required to move your holdings to an approved broker.
Morningstar's hybrid work environment gives you the opportunity to collaborate in-person each week as we've found that we're at our best when we're purposely together on a regular basis. In most of our locations, our hybrid work model is four days in-office each week. A range of other benefits are also available to enhance flexibility as needs change. No matter where you are, you'll have tools and resources to engage meaningfully with your global colleagues.