The Third Party Risk Management (TPRM) Analyst will support the Firm’s Information Security and Risk teams in evaluating and monitoring the security posture of vendors and other third parties. This role focuses on conducting security reviews, assessing compliance with industry standards, and ensuring that vendors meet the Firm’s cybersecurity and data protection requirements. The Analyst will play a key role in protecting the Firm’s data and maintaining compliance.
Key Responsibilities
- Perform third-party/vendor security assessments, including review of security documentation such as ISO 27001 certifications, SOC 1 and SOC 2 reports, and other relevant attestations.
- Evaluate vendor risk based on responses to security questionnaires and evidence of controls.
- Use BitSight tools to review and continuously monitor vendors’ cybersecurity posture and identify emerging risks.
- Maintain and update the vendor risk management system, ensuring accurate documentation of assessments, remediation actions, and risk ratings.
- Collaborate with Information Security and Procurement teams to ensure that risk findings are communicated and addressed.
- Assist in developing and refining third-party risk management procedures, policies, and reporting.
- Track remediation efforts and follow up with vendors on open findings or improvement actions.
- Support due diligence efforts for new vendor engagements and periodic reviews of existing relationships.
- Stay current on evolving cybersecurity threats, regulatory expectations, and third-party risk management best practices.
Qualifications
- Bachelor’s degree in Information Security, Information Technology, Risk Management, or a related field (or equivalent experience).
- 2+ years of experience in vendor risk management, information security, or IT audit.
- Familiarity with security and privacy frameworks, including ISO 27001, NIST CSF, and SOC 2 Trust Service Criteria.
- Experience using BitSight, Security Scorecard, or other vendor risk rating platforms.
- Strong analytical and communication skills with the ability to present findings clearly to technical and non-technical stakeholders.
- Detail-oriented, with strong organizational and documentation skills.
- Experience working in a law firm, financial services, or other regulated environment preferred.
Preferred Skills
- Understanding of data privacy regulations (e.g., GDPR, CCPA, HIPAA).
- Experience with vendor management systems (e.g., Archer, One Trust, Process Unity, etc.).
- Relevant certifications such as CISA, CRISC, CISSP, or CTPRP are a plus.
