IT Risk Analyst II

About The Position

Requirements

• A bachelor's degree in information security, Risk Management, Business Finance, or Information Technology is preferred; A high school diploma (or equivalent) with significant practical experience will be considered in lieu of degree.
• 3+ years of professional experience in Vendor Risk Management (VRM) or Third-Party Risk Management (TPRM), Information Security Risk Management, IT Audit or Compliance, or Technology/cybersecurity governance in financial services.
• Demonstrated experience in conducting or coordinating vendor security assessments, including reviewing SOC 1, SOC 2 reports, security questionnaires, or risk documentation.
• Assessing vendor compliance with cybersecurity frameworks (NIST CSF 2.0, ISO 27001).
• Experience or exposure to financial services regulations relevant to vendor management, such as SEC Regulations S-P or NYDFS Cybersecurity regulations (NYCRR 500).
• Demonstrated experience working with or administering Third-Party Risk Management platforms (e.g., Archer, OneTrust, AuditBoard).
• Strong analytical and critical thinking skills with the ability to assess risk in complex vendor relationships.
• Excellent written and verbal communication skills to clearly articulate risk findings and recommendations.
• Strong organizational and time management abilities to manage multiple assessments simultaneously.
• Strong project management experience to manage risk mitigation and control improvement initiatives.
• Experience or exposure with vendor onboarding and risk assessments for M&A activities.
• Collaborative approach with a proven ability to work across departments and with external vendors.

Responsibilities

• Lead and conduct Vendor Risk Assessments (VRAs) on new and existing third-party vendors, focusing on cybersecurity, privacy, resiliency, and regulatory compliance.
• Perform detailed reviews for vendor SOC 1/SOC 2 reports and SIG questionnaires.
• Assess each vendor's alignment and compliance with industry standards (NIST CSF, ISO 27001), financial regulations (SEC Reg-SP, NYDFS NYCRR 500), and Osaic's security policies.
• Collaborate with Legal, Compliance, Procurement, Vendor & Contract Owners, and Information Security teams to address identified vendor risks.
• Track and manage risk remediation plans for vendor control gaps and findings.
• Manage ongoing monitoring activities for high-risk vendors, including annual reassessments, risk mitigation tracking, breach notifications, financial stability, and regulatory changes.
• Ensure vendors supporting critical functions or handling Sensitive Personal Information (SPI) remain compliant with Osaic's security policies and regulatory requirements.
• Support internal and external audits, examinations, and regulatory inquiries related to third-party risk.
• Help mature the Third-Party Risk Management (TPRM) program by identifying opportunities for process improvement, automation, and alignment with industry best practices and regulations.
• Assist in updating policies, procedures, risk assessment templates, and escalation frameworks.
• Develop and deliver dashboards, metrics, and risk reports to key stakeholders, including risk committees, management, and auditors as required.
• Maintain clear documentation of assessments, decisions, risks, issues, mitigation plans, and outcomes in the Third-Party Risk Management (TPRM) platform.

Benefits

• Health, vision, dental insurance
• 401k
• Vacation and sick time
• Volunteer days
• Annual bonus