Assistant Vice President, Vendor Risk Manager, Technology and Operations

Business Function

Key Responsibilities

• Program Management: Develop, implement, and continuously improve the organization's Third-Party Risk Management (TPRM) framework, policies, procedures, and guidelines
• Risk Assessment & Due Diligence:
• Perform comprehensive end-to-end and in-depth information security assessments of third parties throughout their lifecycle (onboarding, ongoing, offboarding)
• Conduct due diligence reviews of prospective and existing third-party vendors, assessing their security controls, compliance posture, and operational capabilities
• Advise and assess security mitigating controls for Network, Server, Endpoint security, Data protection (PII, Cards), Cloud security (Azure/AWS/GCP/OCI), Encryption, and API security
• Review implementation of standards such as PCI-DSS, PCI-PIN, and PA-DSS as applicable to third parties
• Continuous Monitoring: Establish and manage processes for the periodic assessment and continuous monitoring of third-party and ecosystem partners' security posture and compliance
• Risk Mitigation & Advisory:
• Identify potential risks associated with third-party engagements and projects, advise on effective mitigation strategies
• Provide expert guidance on control implementation for the protection of sensitive data and adherence to security-by-design principles
• Reporting & Stakeholder Engagement:
• Responsible for audit planning, report review, and reporting on third-party risk posture to senior management and other stakeholders
• Liaise with business units on new third-party requirements, ensuring risk is considered from the outset
• Collaborate with internal teams (e.g., Legal, Procurement, IT, CISO team, Group Security) to ensure a consistent and integrated approach to third-party risk management
• Work with the CISO team on regulatory requirements and submissions pertaining to Digital Payment security for third-party engagements
• Liaise with business and partners on compliance and regulatory assurance related to third parties
• Compliance & Standards:
• Ensure third-party engagements comply with relevant laws, regulations, and industry standards
• Review and validate third-party adherence to recognized security frameworks and standards such as ISMS (ISO 27001), SOC (Service Organization Control reports), and NIST CSF
  

Requirements

• Strong understanding and practical experience with Third-Party Risk Management (TPRM) principles and best practices
• In-depth knowledge of information security domains, including network, server, endpoint, data protection, cloud security (Azure/AWS/GCP/OCI), encryption, and API security
• Clear understanding of application security assessments, source code review, and VAPT (Vulnerability Assessment and Penetration Testing)
• Strong fundamentals of Defense-in-Depth security and SDLC (Software Development Life Cycle) processes
• Excellent understanding of industry standards and frameworks such as PCI-DSS, PCI-PIN, PA-DSS, ISMS (ISO 27001), SOC, and NIST CSF
• Proven ability to conduct security assessments and interpret security reports
• Strong analytical, problem-solving, and communication skills to effectively engage with internal and external stakeholders
• Experience with audit planning and reporting
• Ability to work independently and manage multiple third-party relationships concurrently
  

Primary Location

Job

Schedule

Job Type

Job Posting