Third Party Risk Specialist

📋 Description

• Perform comprehensive technical security evaluations of both new and existing vendors utilizing standardized questionnaires (SIG, CAIQ, custom frameworks).

• Confirm that controls submitted by vendors are in line with industry standards, including NIST CSF, ISO 27001, SOC 2, CIS Controls, and relevant regulations (GDPR, DORA, HIPAA, PCI-DSS).

• Examine evidence packages such as penetration test reports, vulnerability scans, audit logs, and attestations.

• Evaluate network architecture, encryption protocols, access control measures, patch management practices, and identity management implementations.

• Utilize and interpret third-party security rating platforms (e.g., ArgosRisk, DocuBark, etc.) to monitor changes in vendor risk posture.

• Keep track of vendor attack surfaces for newly exposed assets, misconfigurations, and known vulnerabilities (CVEs/zero-days).

• Set up and manage automated alerts for changes in vendor security ratings, breach notifications, or threat intelligence signals.

• Conduct periodic reassessments based on the vendor risk tier (Tier 1: quarterly, Tier 2: semi-annual, Tier 3: annual).

• Gather, review, and validate supporting evidence for claims made by vendors regarding their controls.

• Analyze SOC 1 / SOC 2 Type II reports, highlighting exceptions, qualified opinions, and control deficiencies.

• Confirm the currency and scope of certifications such as ISO 27001, PCI-DSS, HIPAA, and others.

• Maintain audit-ready documentation for each vendor within the GRC platform.

• Monitor vendor breach notifications and evaluate the organizational impact of third-party security incidents.

• Collaborate with internal Incident Response (IR) and Security Operations Center (SOC) teams in the event of vendor compromises.

• Track open findings, remediation commitments, and validate closure through follow-up assessments.

• Escalate unresolved high-severity findings to risk owners and senior management.

• Assign, manage, and update technical risk scores for each vendor based on assessment results and monitoring signals.

• Weight risk findings according to vendor criticality, considering data sensitivity, operational reliance, and regulatory exposure.

• Contribute technical risk insights to overall vendor risk ratings within the GRC/TPRM platform.

• Generate executive-ready dashboards, risk summaries, and periodic reports for senior leadership and risk committees.

• Identify and map essential sub-processors and technology dependencies for critical vendors.

• Evaluate concentration risk by identifying instances where multiple vendors depend on the same cloud provider, data center, or software stack.

• Require vendors to inform about significant sub-processor changes and reassess the affected risk profiles accordingly.

• Issue formal technical findings reports to vendors with clear, prioritized remediation instructions.

• Set remediation timelines, escalation thresholds, and acceptable compensating controls.

• Validate the effectiveness of remediation through follow-up evidence collection and re-testing.

• Escalate non-compliant or unresponsive vendors to procurement, legal, or executive stakeholders.

• Collaborate with Procurement, Legal, Compliance, and Business Owners on vendor onboarding and renewal processes.

• Translate intricate technical findings into clear, business-oriented risk narratives for non-technical stakeholders.

• Provide guidance on security contract clauses, SLAs, right-to-audit provisions, and breach notification terms.

• Assist with internal audits, regulatory examinations, and external assessments requiring evidence of third-party risk.

• Continuously improve assessment questionnaires, technical benchmarks, and monitoring playbooks.

• Stay updated on emerging threats, regulatory changes, and evolving industry standards relevant to vendor risk.

• Contribute to the development and enhancement of vendor tiering models and organizational risk appetite definitions.

• Assess and recommend new tools or capabilities to enhance the TPRM monitoring program.

⛳️ Requirements

• A minimum of 3-5 years of experience in IT/Security Compliance/Audit functions (or equivalent).

• A bachelor's degree in Cybersecurity, Information Systems, Computer Science, or a related field is required.

• A master's degree or equivalent experience in Information Security or Risk Management is advantageous; seven years of experience may substitute for degree requirements.

• Familiarity with security and compliance standards/regulations, particularly SOC 2, ISO 27001, ISO 27701, NIST 800-53, NIST CSF, FedRAMP, DPDPA, MeiTy, GDPR, PCI DSS, and HIPAA.

• Applicants must possess work authorization that does not require sponsorship from the company now or in the future.

• Bonus but not mandatory - CIPP, CTPRM, or equivalent certification.

• Experience with Supplier Life Cycle Management, Vendor Contracting Process, and Third-Party Risk Management Programs for Cloud providers.

• Must be able to collaborate in US time zones.

• Understanding of AI LLM and testing of AI platforms and products.

• A self-starter who requires minimal direction from leadership.

• Methodical and diligent, with exceptional planning capabilities.

• Capable of meeting deadlines and managing multiple priorities.

• Strong negotiation skills to achieve favorable outcomes with business partners.

• Excellent project management skills, capable of managing several large projects simultaneously, ensuring they remain on scope, on budget, and on time.

• Ability to present and communicate effectively with all organizational levels.

• Flexible, with the capacity to multitask, prioritize effectively, and work under pressure.

• Advocate for continuous improvement and adherence to industry-recognized best practices.

• Must be able to commence employment within 30 days from the job offer.

🏝️ Benefits

• Annual Medical Insurance stipend.

• Professional Development Reimbursement.

• Nine Company-Paid Holidays.

• Generous Leave Policy, including one month of paid sabbatical every five years and an Anniversary Bonus each year.

• First-year remote office setup plus quarterly reimbursement for new equipment in subsequent years.

• Internet reimbursement.

• Fitness membership reimbursement.

• Company-paid Wellable subscription.