GRC Third-Party Risk Manager
Remote.
Contract role.
Key Responsibilities
- Conduct comprehensive third-party risk assessments for onboarding and ongoing evaluation of vendor services, identifying privacy and security risks.
- Review and analyze vendor-provided risk documentation, including risk assessment questionnaires (e.g., SIG), control audit reports (e.g., SOC Type II, SSAE18), and security policies.
- Leverage expertise in industry standards (e.g., NIST CSF, ISO 27001/27002) and regulatory frameworks (e.g., GDPR, CCPA) to deliver thorough vendor risk evaluations.
- Collaborate with vendors and internal stakeholders to identify, address, and monitor risks, ensuring effective remediation and tracking of identified issues.
- Partner with InfoSec teams and other stakeholders to assess vendor security controls and associated risks.
- Provide recommendations and guidance on vendor-related security risks, obtaining risk acceptance as needed before establishing contractual agreements.
- Support Procurement in negotiating the organization’s Information Protection Addendum (IPA) and incorporate input from Privacy, InfoSec, and the Office of General Counsel (OGC).
- Collaborate with Contract Administration and Procurement teams to review vendor contracts for both new and existing vendors.
- Monitor and measure the progress of TPRM activities, ensuring the program evolves with industry best practices.
Core Competencies
- Deep expertise in Third Party Risk Management.
- Strong understanding of privacy and information security frameworks (e.g., NIST, ISO 27001/27002) and applicable regulations (e.g., GDPR, CCPA).
- Excellent written and verbal communication skills.
- Proven experience negotiating supplier resiliency and cybersecurity requirements.
Qualifications
- Bachelor’s degree (required).
- Minimum of 7 years of experience in third-party risk management or a related field.
This position is ideal for a seasoned professional passionate about safeguarding the organization through robust third-party risk management practices and contributing to the overall success of the GRC team.