Information Security Third-party Risk Management - SA

The Senior Associate, Information Security Third-party Risk Management position will be an integral member of the Information Security and Risk Management team.

The Senior Associate will support the Information Security & Risk Management team in executing Grant Thornton’s Third-Party Risk Management (TPRM) Framework. This role focuses on performing vendor risk assessments, maintaining risk records, and assisting with remediation oversight under the guidance of senior team members.

This role will be in Chief Information Security Officer (CISO) office under Associate Director, Information Security Governance, Risk and Compliance.

The successful candidate will have a good mix of technical knowledge of Information technology, Networking, Applications, and understanding of industry security best practices, and some experience in information security risk management program.

The ideal candidate:

is a self-starter, with the ability to drive tasks to and learn new skills on the job.

possesses analytical thinking, is comfortable managing multiple tasks within a fast-paced environment and has worked collaboratively in a third-party risk mgmt. team environment.

possesses good verbal and written communication skills, pragmatic, and team collaborator.

Key Responsibilities:

Conduct basic security risk assessments for third-party vendors using OneTrust.

Maintain and update the risk register for supplier risks.

Support remediation tracking for supplier security findings.

Prepare summary reports for review.

Ensure compliance with firm security policies and procedures.

Collaborate with internal teams and vendors to collect required evidence documentation.

Help execute the information security third-party risk management framework.

Prepare risk registers in OneTrust to monitor and track risks.

Help development of CUECs to document shared responsibility model.

Required Experience

Experience with information security risk management framework, assessment, audit, and controls based on industry standard frameworks (i.e., NIST; ISO)

Some experience of using GRC tools and technologies in support of the assessment/audit process preferred (OneTrust, Security Scorecard, BitSight, etc.)

Experience gathering information from a range of different sources to help identify weaknesses in security controls.

Demonstrates good understanding across multiple information security domains preferred.

Qualifications

Bachelor’s degree in computer science, Engineering or related field or equivalent work experience

CISA, CRISC, CISM, CISSP, or Lead Auditor ISO 27000 certifications (at least one) preferred or working towards it.

Demonstrates good verbal and written communication skills.

Excellent organization skills and be a self-motivated learner.

Very good experience in execution of Information Security third-party risk management program