On-site Information Security Vendor Management Analyst

Description

The Vendor Management Analyst is responsible for supporting the Bank’s Third-Party Risk Management (TPRM) Program within the Information Security department. This role evaluates the risk of new and existing third-party relationships, conducts and documents due diligence, supports contract reviews, and manages ongoing monitoring activities to ensure compliance with regulatory guidance (e.g., FFIEC, GLBA, FDIC). The Analyst will work closely with business owners, Risk, Compliance, Project Management, Finance, and senior leadership to ensure vendors meet the Bank’s security, operational, and financial requirements.

• Evaluate risks presented by new and existing vendors across cybersecurity, operational, financial, compliance, business continuity, privacy, and reputational domains.
• Determine required risk tiering and corresponding due diligence requirements.
• Partner with business units to ensure clear articulation of vendor use cases and criticality.
• Gather required due diligence artifacts such as SOC 2 reports, independent audits, penetration test summaries, cybersecurity questionnaires, financial statements, insurance certificates, business continuity plans, and regulatory compliance attestations.
• Review and assess due diligence documents for adequacy, control effectiveness, gaps, and red flags.
• Document findings, residual risks, and recommendations within the Bank’s vendor management system.
• Request and follow up on remediation or compensating controls for identified deficiencies.
• Maintain documentation memorializing new vendor diligence and ongoing monitoring results.

• Review contracts and amendments for required information security and risk-related provisions, including data security requirements, confidentiality, incident reporting, business continuity, right to audit, subcontractor oversight, and termination rights.
• Collaborate with Legal and Procurement to ensure contract terms align with bank policy.

• Maintain the Bank’s Vendor Watchlist to track issues with vendors, vendor remediation efforts, and follow up on open issues.
• Document evidence of corrective actions and ensure timely resolution of audit or exam findings.

• Prepare reporting for management, committees, and the Board.
• Support internal/external audits and regulatory exams.
• Assist with development and enhancement of TPRM policies and procedures.
• Train business units and stakeholders on the vendor management process and program.

• Bachelor’s degree in Information Security, Business, Risk Management, or related field.
• 2–5 years of experience in vendor management, third-party risk, cybersecurity risk, or related banking role.
• Prior experience in banking or financial services.
• Ability to interpret SOC reports and cybersecurity controls.
• Strong analytical and documentation skills.

• Understanding of FFIEC, GLBA, and industry best practices.
• Familiarity with NIST CSF, ISO 27001, SIG/AUP questionnaires.
• Experience reviewing contracts from a security or risk perspective.
• Exceptional candidates will have relevant certifications such as CTPRP, CRVPM, or CRISC.