**Position:** Senior Information Risk Consultant **Location:** Washington, DC (Metro accessible) **Duration:** Long Term Contract **The Senior Information Risk Consultant will provide expertise with security engineering, design, definition of configuration baseline, assessments, etc. to include:** • Azure cloud services • Microsoft Defender for Cloud • Microsoft Defender for Office 365 • Azure Network Security • Azure Policy • Microsoft Defender External Attack Surface Management • Security configuration of enterprise cloud platforms like ServiceNow, etc. • Security configuration of security platforms/ infrastructure (cloud and non-cloud) The candidate will be required to work with project teams, service providers, and business units internal and external to the Fund's IT function. The candidate is expected to bring pragmatic cloud security and risk management experience allowing for the Fund to meet its present and emergent business needs. The candidate is expected to advise and influence technology and business personnel regarding the value and methods of safeguarding information, applications, systems, infrastructure, and activities to help ensure that technologies function optimally; work practices are optimized so that the information risks are managed. **Skills:** • Familiarity with a broad range of security technologies supplemented by in-depth knowledge in specific areas of relevance. • Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals. • Analytical skills that enable synthesis of inputs from many sources, and allow for strategic thinking and tactical implementation. • Interpersonal skills that create openness and trust among colleagues. • Facilitation and conflict management skills that enable effective working relationships. • Spoken and written communications that are compelling, convincing, and reassuring, and skills to articulate complex technical ideas to non-technical stakeholders. • Pragmatic security expert with an inherent ability to balance security demands with business reality. • Excellent relationship management skills. • Ability to think laterally and to have input to/propose detailed, complex solutions to technical issues. **Education:** • Advanced degree in Information Security, Computer Science, Engineering, Mathematics, Business, or related field of study preferred with proven, relevant experience in regulated industries working as an information risk manager or IT Security Architect. **Certifications (at least 3 preferred):** • CISSP • CCSP • Microsoft Certified: Cybersecurity Architect Expert • Microsoft Certified: Azure Solutions Architect Expert • Microsoft Certified: Azure Security Engineer Associate **Specific Responsibilities:** • Delivering of security assurance services for products and platforms in the company's IT environment (both cloud and on-prem). • Effectively communicates requirements and trains staff and managers in IT divisions to identify and manage risks throughout the project lifecycle. • Maintain impartiality around IT systems to produce unbiased reports on information security risk. • Conducts quality assurance reviews of security requirements and audit recommendations for the implementation of identified solutions. • Manages the engagement process of external risk assessment providers and acts as a liaison with internal IT project teams and business units. • Supports the Fund's ISO 27001 certification by promoting self-compliance to policies and standards by IT staff and managers. Keeps abreast of international information security codes of practice such as ISO 27001/27002, information security and privacy regulations and how these measures could affect information assets owned by, or administered on behalf of, the company. • As an advocate of information security, works closely and proactively with IT project team leaders, service providers, and business units to provide security-related technical solutions. Identifies opportunities to improve business practices or IT security-related processes. • Analyzes, recommends, and implements process improvements within the context of information security. • Works closely with IT project teams to develop implementation plans for new security-related products and services. • Support the work of security assurance of IT products, platforms, and services. • Prioritizes, monitors, and assesses compliance and audit recommendation results to ensure they are comprehensive, robust, and of high quality. **Experience Required:** • Having worked as or have experience of Information Risk Management at organizations with regulatory compliance requirements. • Demonstrated IT Security expertise in infrastructure areas, network, applications, and database system technologies including endpoints. • Assisted and taken part in delivering Enterprise Security Architecture principles, service management concepts and experience with use of quality assurance tools and techniques. • General infrastructure Vulnerability Management. • Application of project management and systems development methodologies, and managing IT administrative and capital development project budgets. • Risk management concepts and principals - including assessment, prioritization, delivery of treatment plans, tracking, reporting, and metrics (accreditation and certification). Experience with NIST-SP800-30, ISO 27001/2, ISO 27005, COBIT. • Embedding security into processes such as SDLC, Project Lifecycle, ITIL, etc. • Security policy and standards creation. • Basic project management and consultancy skills. • Infrastructure security (perimeter, network, application, operating system, mobile device). • Knowledge of security solutions, latest threats, and countermeasures. • Delivery of Information Security Risk and architecture assessments including consulting on threat modeling, appropriate tiering of N tier applications, placement, and infrastructure controls to protect application components. Able to consult and review the implementation of authentication (SSO, LDAP, AD), authorization (fine grained and coarse grained), and cryptography (PKI, SSL, Kerberos, crypto algorithms) mechanisms within applications. • Defining the policies, standards, and guidelines for Information Security activities including Application and Infrastructure Security Vulnerability management and ensuring Application Security is integrated into SDLC. • Ability to consult and deliver standards and guidelines on the hardening of application and infrastructure components, tools, and techniques to ensure the security of application and infrastructure components such as LINUX/Windows servers, Web servers (IIS, Apache, tomcat), app servers, Databases (Oracle and MS SQL), endpoints (MAC, Windows, Apple IOS, Blackberry, etc.), ArcSight, and Web Application Firewalls. • Manage and review the output of Application and Infrastructure Security assessments conducted by external security services firms. Defining process and procedures for using External security service providers including scoping, management of services, remediation tracking, and exception management. ManpowerGroup is committed to providing equal employment opportunities in a professional, high quality work environment. It is the policy of ManpowerGroup and all of its subsidiaries to recruit, train, promote, transfer, pay and take all employment actions without regard to an employee's race, color, national origin, ancestry, sex, sexual orientation, gender identity, genetic information, religion, age, disability, protected veteran status, or any other basis protected by applicable law.