Third Party Risk Specialist, India

Medical Insurance stipend paid annually.

Professional Development Reimbursement.

9 Company-Paid Holidays.

Generous Leave Policy + 1 month paid sabbatical every 5 years + Anniversary Bonus each year.

First year remote office setup + reimbursement per quarter each subsequent year for new equipment.

Internet reimbursement.

Fitness membership reimbursement.

Company paid Wellable subscription.

Conduct in-depth technical security assessments of new and existing vendors using standardized questionnaires (SIG, CAIQ, custom frameworks).

Validate that vendor-submitted controls align with industry standards including NIST CSF, ISO 27001, SOC 2, CIS Controls, and applicable regulations (GDPR, DORA, HIPAA, PCI-DSS).

Review evidence packages including penetration test reports, vulnerability scans, audit logs, and attestations.

Assess network architecture, encryption standards, access controls, patch management practices, and identity management implementations.

Operate and interpret third-party security rating platforms (e.g., ArgosRisk, DocuBark, etc.) to track changes in vendor risk posture.

Monitor vendors attack surfaces for newly exposed assets, misconfigurations, and known vulnerabilities (CVEs/zero-days).

Configure and manage automated alerts for changes in vendor security ratings, breach disclosures, or threat intelligence signals.

Perform periodic reassessments on a cadence aligned to vendor risk tier (Tier 1: quarterly, Tier 2: semi-annual, Tier 3: annual).

Collect, review, and validate supporting evidence for vendor control claims.

Analyze SOC 1 / SOC 2 Type II reports, noting exceptions, qualified opinions, and control gaps.

Verify currency and scope of ISO 27001, PCI-DSS, HIPAA, and other certifications.

Maintain audit-ready documentation for each vendor within the GRC platform.

Monitor vendor breach disclosures and assess organizational impact from third-party security incidents.

Coordinate with internal Incident Response (IR) and Security Operations Center (SOC) teams when a vendor is compromised.

Track open findings, remediation commitments, and validate closure through re-assessment.

Escalate unresolved high-severity findings to risk owners and senior management.

Assign, maintain, and update technical risk scores for each vendor based on assessment findings and monitoring signals.

Weight risk findings by vendor criticality — factoring in data sensitivity, operational dependency, and regulatory exposure.

Contribute technical risk inputs to overall vendor risk ratings within the GRC/TPRM platform.

Produce executive-ready dashboards, risk summaries, and periodic reports for senior leadership and risk committees.

Identify and map key sub-processors and technology dependencies for critical vendors.

Assess concentration risk — flagging cases where multiple vendors rely on the same cloud provider, data center, or software stack.

Require vendors to notify of material sub-processor changes and reassess impacted risk profiles accordingly.

Issue formal technical findings report to vendors with clear, prioritized remediation guidance.

Define remediation timelines, escalation thresholds, and acceptable compensating controls.

Validate remediation effectiveness through follow-up evidence collection and re-testing.

Escalate non-compliant or unresponsive vendors to procurement, legal, or executive stakeholders.

Partner with Procurement, Legal, Compliance, and Business Owners on vendor onboarding and renewal decisions.

Translate complex technical findings into clear, business-oriented risk narratives for non-technical stakeholders.

Advice on security contract clauses, SLAs, right-to-audit provisions, and breach notification terms.

Support internal audit, regulatory exams, and external assessments requiring third-party risk evidence.

Continuously refine assessment questionnaires, technical benchmarks, and monitoring playbooks.

Stay current on emerging threats, regulatory changes, and evolving industry standards relevant to vendor risk.

Contribute to the development and refinement of vendor tiering models and organizational risk appetite definitions.

Evaluate and recommend new tools or capabilities to strengthen the TPRM monitoring program.

Minimum of 3-5 years of work experience in IT/Security Compliance/Audit function (or equivalent).

Bachelor's degree in Cybersecurity, Information Systems, Computer Science, or a related field required.

A master's degree or equivalent experience in Information Security or Risk Management is a plus. Seven years of experience can suffice in lieu of degree requirements.

Familiarity with the security and compliance standards/regulations, specifically SOC 2, ISO 27001, ISO 27701, NIST 800-53, NIST CSF, FedRAMP, DPDPA, MeiTy, GDPR, PCI DSS and HIPAA.

Applicants must have work authorization that does not require sponsorship from the company now or in the future.

Experience with Supplier Life Cycle Management - Vendor Contracting Process and Third-Party Risk Management Programs for Cloud providers.

Must be able to collaborate in US time zones.

Understanding of AI LLM and testing of AI platforms and products.

Self-starter and requires minimal direction from leadership.

Methodical and diligent with outstanding planning abilities.

Able to meet deadlines and handle multiple priorities.

Strong ability to negotiate with business partners to attain successful outcomes.

Strong project management skills with the ability to manage several large projects at the same time, keeping them on scope, on budget, and on time.

Ability to present and effectively communicate with all levels of the organization.

Flexible with the ability to multitask, effectively prioritize, and work under pressure

Advocate of continuous improvement and industry-recognized best practice.

Must be able to start employment within 30 days of offer of employment.

Medical Insurance stipend paid annually.

Professional Development Reimbursement.

9 Company-Paid Holidays.

Generous Leave Policy + 1 month paid sabbatical every 5 years + Anniversary Bonus each year.

First year remote office setup + reimbursement per quarter each subsequent year for new equipment.

Internet reimbursement.

Fitness membership reimbursement.

Company paid Wellable subscription.

Conduct in-depth technical security assessments of new and existing vendors using standardized questionnaires (SIG, CAIQ, custom frameworks).

Validate that vendor-submitted controls align with industry standards including NIST CSF, ISO 27001, SOC 2, CIS Controls, and applicable regulations (GDPR, DORA, HIPAA, PCI-DSS).

Review evidence packages including penetration test reports, vulnerability scans, audit logs, and attestations.

Assess network architecture, encryption standards, access controls, patch management practices, and identity management implementations.

Operate and interpret third-party security rating platforms (e.g., ArgosRisk, DocuBark, etc.) to track changes in vendor risk posture.

Monitor vendors attack surfaces for newly exposed assets, misconfigurations, and known vulnerabilities (CVEs/zero-days).

Configure and manage automated alerts for changes in vendor security ratings, breach disclosures, or threat intelligence signals.

Perform periodic reassessments on a cadence aligned to vendor risk tier (Tier 1: quarterly, Tier 2: semi-annual, Tier 3: annual).

Collect, review, and validate supporting evidence for vendor control claims.

Analyze SOC 1 / SOC 2 Type II reports, noting exceptions, qualified opinions, and control gaps.

Verify currency and scope of ISO 27001, PCI-DSS, HIPAA, and other certifications.

Maintain audit-ready documentation for each vendor within the GRC platform.

Monitor vendor breach disclosures and assess organizational impact from third-party security incidents.

Coordinate with internal Incident Response (IR) and Security Operations Center (SOC) teams when a vendor is compromised.

Track open findings, remediation commitments, and validate closure through re-assessment.

Escalate unresolved high-severity findings to risk owners and senior management.

Assign, maintain, and update technical risk scores for each vendor based on assessment findings and monitoring signals.

Weight risk findings by vendor criticality — factoring in data sensitivity, operational dependency, and regulatory exposure.

Contribute technical risk inputs to overall vendor risk ratings within the GRC/TPRM platform.

Produce executive-ready dashboards, risk summaries, and periodic reports for senior leadership and risk committees.

Identify and map key sub-processors and technology dependencies for critical vendors.

Assess concentration risk — flagging cases where multiple vendors rely on the same cloud provider, data center, or software stack.

Require vendors to notify of material sub-processor changes and reassess impacted risk profiles accordingly.

Issue formal technical findings report to vendors with clear, prioritized remediation guidance.

Define remediation timelines, escalation thresholds, and acceptable compensating controls.

Validate remediation effectiveness through follow-up evidence collection and re-testing.

Escalate non-compliant or unresponsive vendors to procurement, legal, or executive stakeholders.

Partner with Procurement, Legal, Compliance, and Business Owners on vendor onboarding and renewal decisions.

Translate complex technical findings into clear, business-oriented risk narratives for non-technical stakeholders.

Advice on security contract clauses, SLAs, right-to-audit provisions, and breach notification terms.

Support internal audit, regulatory exams, and external assessments requiring third-party risk evidence.

Continuously refine assessment questionnaires, technical benchmarks, and monitoring playbooks.

Stay current on emerging threats, regulatory changes, and evolving industry standards relevant to vendor risk.

Contribute to the development and refinement of vendor tiering models and organizational risk appetite definitions.

Evaluate and recommend new tools or capabilities to strengthen the TPRM monitoring program.

Minimum of 3-5 years of work experience in IT/Security Compliance/Audit function (or equivalent).

Bachelor's degree in Cybersecurity, Information Systems, Computer Science, or a related field required.

A master's degree or equivalent experience in Information Security or Risk Management is a plus. Seven years of experience can suffice in lieu of degree requirements.

Familiarity with the security and compliance standards/regulations, specifically SOC 2, ISO 27001, ISO 27701, NIST 800-53, NIST CSF, FedRAMP, DPDPA, MeiTy, GDPR, PCI DSS and HIPAA.

Applicants must have work authorization that does not require sponsorship from the company now or in the future.

Experience with Supplier Life Cycle Management - Vendor Contracting Process and Third-Party Risk Management Programs for Cloud providers.

Must be able to collaborate in US time zones.

Understanding of AI LLM and testing of AI platforms and products.

Self-starter and requires minimal direction from leadership.

Methodical and diligent with outstanding planning abilities.

Able to meet deadlines and handle multiple priorities.

Strong ability to negotiate with business partners to attain successful outcomes.

Strong project management skills with the ability to manage several large projects at the same time, keeping them on scope, on budget, and on time.

Ability to present and effectively communicate with all levels of the organization.

Flexible with the ability to multitask, effectively prioritize, and work under pressure

Advocate of continuous improvement and industry-recognized best practice.

Must be able to start employment within 30 days of offer of employment.