GRC- Third Party Risk Manager

The GRC Third Party Risk Manager will play a key role within the Information Security team, overseeing the Third Party Risk Management program while contributing to broader GRC initiatives. This role involves assessing and mitigating risks associated with vendor relationships, including initial due diligence and ongoing monitoring. The manager will evaluate third-party cybersecurity controls, ensuring alignment with the organization’s IT risk management standards and regulatory requirements. This is a remote role but candidates must live in either: NYC, Washington DC, Chicago, or Atlanta.

Key Responsibilities

• Conduct comprehensive third-party risk assessments for onboarding and ongoing evaluation of vendor services, identifying privacy and security risks.
• Review and analyze vendor-provided risk documentation, including risk assessment questionnaires (e.g., SIG), control audit reports (e.g., SOC Type II, SSAE18), and security policies.
• Leverage expertise in industry standards (e.g., NIST CSF, ISO 27001/27002) and regulatory frameworks (e.g., GDPR, CCPA) to deliver thorough vendor risk evaluations.
• Collaborate with vendors and internal stakeholders to identify, address, and monitor risks, ensuring effective remediation and tracking of identified issues.
• Partner with InfoSec teams and other stakeholders to assess vendor security controls and associated risks.
• Provide recommendations and guidance on vendor-related security risks, obtaining risk acceptance as needed before establishing contractual agreements.
• Support Procurement in negotiating the organization’s Information Protection Addendum (IPA) and incorporate input from Privacy, InfoSec, and the Office of General Counsel (OGC).
• Collaborate with Contract Administration and Procurement teams to review vendor contracts for both new and existing vendors.
• Monitor and measure the progress of TPRM activities, ensuring the program evolves with industry best practices.

Core Competencies

• Deep expertise in Third Party Risk Management.
• Strong understanding of privacy and information security frameworks (e.g., NIST, ISO 27001/27002) and applicable regulations (e.g., GDPR, CCPA).
• Excellent written and verbal communication skills.
• Proven experience negotiating supplier resiliency and cybersecurity requirements.

Qualifications

• Bachelor’s degree (required).
• Minimum of 7 years of experience in third-party risk management or a related field.

This position is ideal for a seasoned professional passionate about safeguarding the organization through robust third-party risk management practices and contributing to the overall success of the GRC team.