As Manager of the Information Security Controls Program for the U.S. subsidiary of a Global 500 financial institution, I established BitSight as our platform for an external risk ratings perspective on vendors and business partners. I onboarded new vendors and partners, managed the internal users who were licensed to access the BitSight reports, developed reporting customizations, and worked with BitSight to further develop their deliverables to suit our needs.
I also built our own third-party risk assessment questionnaires based on content from the Shared Assessments Program Standard Information Gathering (SIG) questionnaire. The Shared Assessments SIG is fairly exhaustive and required extensive customization to narrow in on the issues of greatest concern to our business. I modified the standard questions as needed, again, to align better with our own regulatory mandates and the concerns of our internal stakeholders. Later, after I had handed off these processes to another team member, I assisted in building out the assessment questionnaire as an automated process within our Governance, Risk, and Compliance platform.
Together, the BitSight reports and responses we gathered from the questionnaires were essential to the company in deciding which risks we were willing to take on to meet business projects and objectives. Both of these inputs required analysis, which I performed or directed to put the information into context for our business. I worked with stakeholders from the business, Legal, Compliance, and Enterprise Risk functions to understand the need for the relationship and to provide feedback concerns related to security and privacy.
Along with participation as a member of the internal vendor risk management committee, my work in these areas helped the company to avoid entanglements with products, services, and partners that could have exposed customer data, which would have cost the company untold millions of dollars.
