Third Party Security Risk Analyst

Key Responsibilities:

• Vendor Security Documentation Review

• Evaluate third-party security artifacts including SOC 2 Type II reports, ISO/IEC 27001 certificates (with Statement of Applicability), vulnerability assessments and penetration testing (VAPT) results, and security policy documentation. Identify gaps or weaknesses in vendor controls and document potential risks for review.

• Technical Capability Assessment

• Analyze vendor capabilities related to identity and access management (SSO, MFA), data protection (encryption at rest/in transit, field-level encryption, masking), integration options (agents or SDKs/libraries, APIs, webhooks, file-based), and logging (support for SIEM integration, event types, delivery mechanisms). Validate alignment with Broadridge standards.

• Stakeholder Communication and Guidance

• Provide subject matter expertise to Business stakeholders evaluating third-party solutions. Help translate security findings into business terms, and support vendor communications to clarify expectations and request missing documentation or clarifications on security capabilities.

• Continuous Improvement and Standardization

• Help refine the interactions between BISG and TPRM and the security assessment process by contributing to standard checklists, risk scoring models, and onboarding workflows. Stay current on emerging third-party security risks and recommend enhancements to evaluation criteria over time.

Required Skills and Qualifications:

• Bachelor s degree in computer science, information technology or a related field.
• 5-8 years of experience in Information Security, with at least 3 years in vendor security reviews or third-party risk management.
• Strong understanding of cloud service provider controls, SaaS architectures, and data protection strategies.
• Familiarity with security and compliance frameworks such as SOC 2, ISO 27001, NIST SP 800-53, and CIS Controls.
• Hands-on experience evaluating documentation such as SOC 2, VAPT reports, risk assessments, and policy/procedure artifacts.
• Working knowledge of IAM principles (SSO, MFA), secure integration practices (API security, encryption), and log management (SIEM integrations).
• Clear and concise written communication skills with the ability to summarize risk and control gaps effectively.
• Ability to collaborate across multiple stakeholder groups and manage competing priorities.

Preferred Qualifications:

• Experience working in a regulated industry (e. g. , financial services, healthcare, insurance).
• Certifications such as CCSK, CISA, CRISC, or Certified Third Party Risk Professional (CTPRP), Certified Third Party Risk Assessor (CTPRA), or Certified Third Party Risk Management Professional (C3PRMP).
• Familiarity with third-party risk tools and platforms (e. g. , ProcessUnity, Archer) is a plus.