Procom
Responsible for developing, implementing, and maintaining the third-party risk management (TPRM) security program. This position will work closely with Cybersecurity leadership, Legal, Corporate Compliance, Sourcing/Procurement and other stakeholders to ensure that third party information security is implemented and operating effectively. Supervises a team of cybersecurity personnel to maintain and support third-party security policies, procedures, and risk management processes. Provides third party risk management consulting on complex organizational projects. Evaluates existing systems and procedures and makes recommendations for improvements of system controls.
Job Responsibilities:
Collaborates with Cybersecurity leadership to develop and mature overall TPRM program through effective governance, comprehensive vendor analysis and review processes, and implementation and monitoring of vendor management security controls.
Manages a team of cybersecurity analysts responsible for execution of the TPRM program vision.
Responsible for the TPRM team’s adherence to third-party risk management policies and standards.
Manages and maintains TPRM technology and toolsets that support the TPRM program.
Owns and oversees the TPRM program charged with performing security reviews of all new and existing technology vendors on a regularly scheduled basis. Third-party risk management will include:
Development of a TPRM program vision and methodology.
Management of vendor information security questionnaires.
Interpretation and analysis of vendor input.
Reporting results of vendor security profiles; and
Where necessary, managing security gaps to ensure technology vendors meet minimum-security requirements for vendors through enhancement or remediation of their security capabilities.
Preparing regular governance reports to various cross-functional stakeholders and management concerning the current state of information security measures.
Making recommendations for improvement, as required.
Make meaningful risk mitigating recommendations to directly improving the third party risk posture
Foster relationships with internal and external stakeholders
Collaborate internally with security experts to understand requirements and standards
Works with Cybersecurity GRC to track vendor risks and risk exceptions to TPRM policies and standards.
Identifies and provides input on information security awareness training related to the TPRM program. Collaborates with training and cybersecurity awareness and education teams to develop and implement training courses to enhance security capabilities and competencies of the organization.
Develops roadmaps for TPRM maturity. Leads TPRM projects and initiatives to implement and execute on the roadmap.
Works with IT management, risk managers, corporate compliance, and in-house legal counsel to perform and maintain TPRM risk assessments concerning potential vendor cyber risks. TPRM assessments may include assessment of vendor capacity, data privacy, vendor geography concerns, vendor competition, import/export sanctions, vendor insurance coverage, vendor performance, and vendor continuity concerns.
Provides support in the development and implementation of mitigating security controls where vendor controls may fall short of requirements.
Maintains relationships with clinical and business management to ensure third-party reviews are completed timely and in accordance with policies and standards.
Keep informed regarding new and emerging information security trends in TPRM processes.
Required Job Qualifications:
8+ years of relevant experience focusing on security policy creation and lifecycle management, auditing methodology, technology risk management, and/or third-party risk management.
Excellent verbal and written communications skills.
Self-starter with ability to work independently to create, build, and manage frameworks and programs.
Ability to analyze and present critical information to all levels of staff from general employee level to Board-level reporting metrics.
Ability to source, analyze, negotiate, select and manage third-party vendors to achieve program deliverables.
Must have excellent interpersonal skills to effectively communicate with all levels of hospital personnel, vendors, IT personnel, and direct reports.
Strong prioritization, multi-tasking, and time management skills.
Explicit knowledge of cyber security controls, implementation, compliance, and governance
Thorough understanding of vendor risk analysis.
Must possess the ability to deliver clear, concise communications and presentations. Must be able to train others quickly and thoroughly on key cybersecurity concepts.
Knowledge of Federal and State regulations including HIPAA, SOX, and FERPA.
Knowledge of industry leading frameworks including NIST, HITRUST, PCI, ISO, SOC 2, ITIL, and COSO.
Preferred Job Qualifications:
3+ years of relevant and progressive GRC experience in a healthcare setting.
Security industry certifications such as CISM, CISSP, ISSMP or CCISO are desirable.
Seniority level
Mid-Senior level Employment type
Full-time Job function
Information Technology Hospitals and Health Care
#J-18808-Ljbffr
Mid-Senior level Employment type
Full-time Job function
Information Technology Hospitals and Health Care
#J-18808-Ljbffr