Specialist, Vendor Risk Manager, Technology and Operations

Job Description Business Function Technology and Operations (T&O) enables and empowers the bank with an efficient, nimble and resilient infrastructure through a strategic focus on productivity, quality & control, technology, people capability and innovation. In Group T&O, we manage the majority of the Bank's operational processes and inspire to delight our business partners through our multiple banking delivery channels. Job Description This role is responsible for establishing, implementing, and maintaining a robust third-party risk management program. This role involves overseeing the assessment and continuous monitoring of third-party vendors and partners to identify, evaluate, and mitigate information security, compliance, and operational risks. This role will ensure that third-party relationships adhere to internal policies, industry standards, and regulatory requirements, protecting the organization's assets and reputation. Key Responsibilities Program Management: - Develop, implement, and continuously improve the organization's Third-Party Risk Management (TPRM) framework, policies, procedures, and guidelines. Risk Assessment & Due Diligence: - Perform comprehensive end-to-end and in-depth information security assessments of third parties throughout their lifecycle (onboarding, ongoing, offboarding). - Conduct due diligence reviews of prospective and existing third-party vendors, assessing their security controls, compliance posture, and operational capabilities. - Advise and assess security mitigating controls for Network, Server, Endpoint security, Data protection (PII, Cards), Cloud security (Azure/AWS/GCP/OCI), Encryption, and API security. - Review implementation of standards such as PCI-DSS, PCI-PIN, and PA-DSS as applicable to third parties. - Continuous Monitoring: Establish and manage processes for the periodic assessment and continuous monitoring of third-party and ecosystem partners security posture and compliance. Risk Mitigation & Advisory: - Identify potential risks associated with third-party engagements and projects, advise on effective mitigation strategies. - Provide expert guidance on control implementation for the protection of sensitive data and adherence to security-by-design principles. Reporting & Stakeholder Engagement: - Responsible for audit planning, report review, and reporting on third-party risk posture to senior management and other stakeholders. - Liaise with business units on new third-party requirements, ensuring risk is considered from the outset. - Collaborate with internal teams (e.g., Legal, Procurement, IT, CISO team, Group Security) to ensure a consistent and integrated approach to third-party risk management. - Work with the CISO team on regulatory requirements and submissions pertaining to Digital Payment security for third-party engagements. - Liaise with business and partners on compliance and regulatory assurance related to third parties. Compliance & Standards: - Ensure third-party engagements comply with relevant laws, regulations, and industry standards. - Review and validate third-party adherence to recognized security frameworks and standards such as ISMS (ISO 27001), SOC (Service Organization Control reports), and NIST CSF. Requirements - Strong understanding and practical experience with Third-Party Risk Management (TPRM) principles and best practices. - In-depth knowledge of information security domains, including network, server, endpoint, data protection, cloud security (Azure/AWS/GCP/OCI), encryption, and API security. - Clear understanding of application security assessments, source code review, and VAPT (Vulnerability Assessment and Penetration Testing). - Strong fundamentals of Defense-in-Depth security and SDLC (Software Development Life Cycle) processes. - Excellent understanding of industry standards and frameworks such as PCI-DSS, PCI-PIN, PA-DSS, ISMS (ISO 27001), SOC, and NIST CSF. - Proven ability to conduct security assessments and interpret security reports. - Strong analytical, problem-solving, and communication skills to effectively engage with internal and external stakeholders. - Experience with audit planning and reporting. - Ability to work independently and manage multiple third-party relationships concurrently.