Information Security Risk & Governance Specialist, Principal (Third party Risk)

About The Position

Requirements

• Requires a bachelor's degree or equivalent experience
• Requires at least 10 years of prior relevant experience
• Experience in portfolio management, preferably within an Agile or SAFe environment, JIRA experience a plus
• Experience partnering with all levels of management required
• Driven, energetic, team player with superior oral and written communication skills
• Strong analytical, organizational, and project management skills.
• Requires deep understanding of IT control frameworks; Artificial Intelligence experience is a plus
• Desire one or more of the following: CRISC (Certified in Risk and Information Systems Control), CISM (Certified Information Security Manager), CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional)

Responsibilities

• Program Leadership & Governance Design and implement a robust Third-Party Risk Management (TPRM) Program using tailored to healthcare regulatory and health technology requirements.
• Develop and maintain policies, procedures, and standards for third-party risk oversight.
• Establish governance structures and reporting mechanisms to ensure transparency and accountability.
• Risk Assessment & Due Diligence Implement and conduct comprehensive risk assessments for new and existing third-party vendors, focusing on cybersecurity, data privacy, financial stability, and operational resilience.
• Collaborate with procurement, legal, compliance, and business units to ensure thorough due diligence and contract risk mitigation.
• Define and maintain risk tiers and criticality ratings for vendors.
• Develop and support contract reviews for security exhibits.
• Implement and lead process for responding to IT and security questionnaires (sales, etc.)
• Ongoing Monitoring & Issue Management Implement continuous monitoring processes for high-risk and critical vendors.
• Track and manage remediation activities for identified risks and control gaps.
• Maintain a centralized inventory and reporting of third-party relationships and associated risk profiles.
• Conduct third-party outreaches for incidents Regulatory Compliance & Audit Support Prepare documentation and evidence for internal audits, regulatory exams, and board-level reporting.
• Monitor changes in regulatory requirements and adjust program components accordingly.
• Stakeholder Engagement & Training Serve as a subject matter expert and advisor to internal teams on third-party risk topics.
• Develop and deliver training programs to increase awareness and accountability across the organization.
• Facilitate cross-functional collaboration to enhance risk visibility and response.
• Technology & Automation Evaluate and implement third-party risk management platforms and tools.
• Drive automation and process improvements to enhance program efficiency and scalability.