Senior Information Security TPRM Analyst

About The Position

Requirements

• 5+ years in information security, technology risk, third‑party risk management, IT audit, or a related role
• Strong knowledge of security controls and third‑party risk concepts, including how they apply across applications, infrastructure, data, and business processes
• Working knowledge of information security and third‑party risk management guidance and expectations applicable to financial services (e.g., FFIEC), including evidence and documentation practices
• Hands‑on experience performing vendor due diligence (e.g., questionnaires, SOC report review, policy/evidence review), documenting results, and tracking remediation
• Experience supporting audits/exams by preparing evidence, responding to requests, and communicating assessment details to internal stakeholders
• Working knowledge of continuous monitoring and vendor risk intelligence tools (or ability to learn quickly)
• Knowledge of business continuity planning concepts and the ability to review third‑party resiliency documentation

Nice To Haves

• Strong project coordination, documentation, and written/oral communication skills
• Ability to work effectively with cross‑functional stakeholders (Information Security, Procurement, Legal, Vendor Management, and business owners)
• Experience operating within a third‑party risk management program, including process execution, workflow management, and continuous improvement
• Experience reviewing security terms in vendor contracts/exhibits and partnering with Legal on security requirement questions
• Experience applying banking/financial services security and third‑party risk expectations in day‑to‑day assessment and documentation work

Responsibilities

• Execute third‑party information security assessments (initial and periodic), including evidence collection, control evaluation, and documentation of inherent and residual risk
• Support the operation of the third‑party security risk program by following defined procedures, maintaining workpapers, and ensuring assessments are completed within agreed timelines
• Prepare materials and provide analysis to support information security governance forums (e.g., steering committee updates), including status, metrics, and key risk themes
• Maintain and help publish up‑to‑date third‑party security procedures, assessment templates, and supporting documentation
• Identify process improvement opportunities (e.g., workflow, tooling, data quality) and recommend enhancements to increase consistency and efficiency
• Leverage AI-enabled TPRM tools to accelerate intake and analysis (e.g., summarizing vendor evidence, mapping responses to control requirements, and identifying gaps), while validating outputs for accuracy and auditability
• Partner with Legal, Procurement, and Vendor Management to support security due diligence questions and standard contract/exhibit security requirements
• Apply sound judgment, communicate issues early, and document lessons learned to continuously improve assessment quality and outcomes
• Produce regular reporting on third‑party security assessment status, findings, exceptions, and remediation progress for Information Security and risk stakeholders
• Create, stand up, and continuously improve a Customer Trust Program (e.g., trust center content, security evidence library, and standardized customer security questionnaire responses) in partnership with Information Security and business stakeholders
• Contribute to a collaborative and inclusive working environment through effective communication, knowledge sharing, and respectful partnership
• Apply assessment experience to evaluate control design and effectiveness, and clearly document rationale and outcomes
• Coordinate with vendors and internal stakeholders to obtain evidence, clarify responses, and resolve open assessment items
• Monitor for relevant security and third‑party risk topics (e.g., control gaps, recurring issues) and escalate items to appropriate leads with supporting analysis
• Support audits and exams by compiling assessment evidence, responding to information requests, and ensuring third‑party risk documentation is complete and accurate
• Execute the risk‑based vendor assessment approach, including scoping, risk rating support, issue tracking, and remediation follow‑up for partners and service providers
• Document control requirements, map vendor evidence to controls, and identify opportunities to leverage first‑line testing or existing assurance reports (e.g., SOC)
• Support third‑party resiliency reviews by collecting and evaluating business continuity and disaster recovery documentation and tracking gaps
• Coordinate with Information Security, Compliance, Audit, Legal, and HR as needed to complete assessments and respond to third‑party risk-related requests
• Maintain metrics and dashboards (KPIs/KRIs) to measure assessment throughput, timeliness, issue aging, and recurring findings
• Support maintenance of the Cyber Risk register by drafting entries, updating statuses, and preparing summary views of top third‑party risks for stakeholder review
• Follow applicable regulatory requirements and internal policies (including those related to BSA/AML/CIP/OFAC, as relevant to the role) and escalate potential compliance concerns through appropriate channels
• Apply third‑party risk management and information security best practices (e.g., FFIEC guidance) when performing assessments and documenting results
• Maintain ongoing regulatory and policy awareness (including BSA/AML/CIP/OFAC, as applicable) and complete required training

Benefits

• Paid sick leave