Program Lead, Third Party Risk and Resilience Management

About The Position

Requirements

• Bachelor’s or Advanced degree in a technical or business discipline (Computer Science, Information Security, or related field)
• 8 years in IT/R&D environments
• 5 years managing large-scale ODCs or captive centers
• Experience with Roche (or other large organization within a highly regulated industry) IT Security standards and compliance frameworks
• Strong compliance understanding to identify and mitigate risks; knowledge of GDPR, CCPA, and data privacy standards
• Experience with regulatory frameworks (GxP, ISO 27001) and audit requirements
• Experience with risk assessment methodologies and vendor security evaluation
• Background in connectivity / network infrastructure: IT networks, cabling, switches, routers, WAN, firewalls
• Experience with virtual environments: VDI, Citrix platforms, and application virtualization
• IT operations knowledge: thin/thick clients, servers, and technical documentation
• ServiceNow and IT Service Management tools
• Familiarity with cloud infrastructure (AWS/Azure), DevOps and enterprise security frameworks
• Experience with ISMS & ITSM implementation and best practices
• Incident management and problem resolution experience
• Deep understanding of Software Development Lifecycle (SDLC) and R&D workflows
• Outsourcing engagement models and service delivery operations
• Pharmaceutical industry standards and R&D innovation processes

Nice To Haves

• Professional security or risk management credentials—such as CISSP, CISM, CRISC, or equivalent

Responsibilities

• Determine ODC necessity based on country risk and data sensitivity
• Initiate new ODC setups, coordinate vendor office space establishment, and guide vendors on Roche Security standards
• Conduct Security Risk Assessment (SRA) and Data Classification Review (DCR) for all services and applications
• Identify services unsuitable for external business partners and escalate to product/service owners or DSM for remediation
• Create, review, and maintain ODC Manuals, Impact Assessments, and Security Control Tables
• Periodically review and update impact assessment documents to remove retired services
• Ensure compliance with legal requirements (GDPR, CCPA) and Roche security protocols
• Act as the owner for role-specific training curricula
• Ensure training compliance for all external personnel by verifying mandatory security and role-specific requirements are met prior to system access.
• Accountable for the systematic tracking and enforcement of training completion for vendor resources, leveraging the Roche Training Solution system
• Approve all ODC changes including staff assignments, project onboarding, and service modifications
• Manage ServiceNow requests for infrastructure (NAS storage, VD/VDI creation/updates, application packaging)
• Identify VSA requirements and maintain vendor security/privacy capabilities throughout ODC lifecycle
• Ensure security audits completed prior to service commencement and conduct periodic audits
• Conduct assessments when major changes occur (new projects with higher security needs)
• Track and remediate audit findings with vendors
• Ensure mandatory notifications are formally integrated into processes (e.g., GSP) for all new vendor collaborations
• Coordinate dedicated VDI planning with Citrix when default environments cannot support daily tasks
• Optimize virtual desktop and application virtualization to reduce VDI requirements
• Manage port opening for DIA, RDI, VDIs, and coordinate VDI creation
• Collaborate with Network, Perimeter, and Citrix teams on connectivity and URL whitelisting
• Ensure Business Partner Organization (BPO) approvals for applications, systems, URLs, RDP/SSH access
• Populate and verify application inventories, URLs, and RDP/SSH server lists for Smart Web and virtual environments
• Add users to ODC groups and implement access restrictions or policies as required
• Lead ODC Security Incident Management with timely identification, escalation, and resolution
• Promptly escalate security incidents to Roche IT Security Governance
• Maintain incident, change, and problem management processes across all ODC operations
• Participate in security audits and ensure all identified gaps are promptly closed
• Regular evaluation of ODC setups for necessary updates
• Document audit findings and track remediation to completion
• Ensure execution of Business Continuity Plans and maintain disaster recovery readiness
• Coordinate vendor selection, onboarding, and performance monitoring of strategic offshore partners
• Work with vendor ODC managers and PICs on service/project onboarding and offboarding
• Review periodic ODC compliance reports and resolve conflicts/issues related to readiness
• Manage ODC user onboarding, offboarding, travel requests, and work-from-home (teleworking) approvals
• Collaborate with vendors and delivery teams on project details and application access requirements
• Oversee ODC decommissioning with proper data handling, access revocation, and infrastructure cleanup
• Provide guidance on virtual desktop, application, and network challenges
• Participate in technical discussions on Citrix, network infrastructure (WAN, firewalls, clients), security, risk, and governance
• Coordinate across Vendor ODC managers, Roche IT Security, Network, Perimeter, Citrix, and application teams
• Address ad-hoc requests and ODC challenges with quality and compliance focus
• Translate complex technical requirements; articulate constraints and propose viable alternatives

Benefits

• A discretionary annual bonus may be available based on individual and Company performance.
• Benefits detailed at the link provided below.