Third Party Governance

**Third Party Governance Role**:

- **Vendor Risk Identification and Analysis**:

- Revise the Vendor Risk Assessment Playbook, Process, and Procedures to ensure they re up-to
- date with industry practices.
- Construct a risk assessment plan using a standardized approach to minimize the bank s exposure to third-party vendor risks.

**Third Party Cyber Risk Assessments**:

- Analyse third-party cyber risk assessment documents and procedures to ensure comprehensive risk management.
- Continually monitor and adapt to new risks, ensuring that assessment strategies are proactive.

**Tools, Measurement, and Analysis**:

- Scrutinize and validate cyber tools and create test cases to assess the effectiveness of third
- party cyber risk tools.
- Optimize the use of JIRA for improved tracking and management of cyber assessments.

**Program Governance - Cyber PMO**:

- Establish a Cyber Program Management Office to oversee and align cyber risk projects with organizational goals.
- Provide ongoing support for cyber risk initiatives and ensure effective communication among all stakeholders.

**Vendor Risk Assessment and Mitigation**:

- **Assessment Scope and Connectivity**: Defining the scope of the assessment and identifying how
- vendor services connect with the organization s existing architecture.
- **Questionnaire Distribution and Assistance**: Tailoring assessment questionnaires based on vendor service applicability and facilitating stakeholders in completing them.
- **Evidence Review and Follow-ups**: Reviewing the evidence provided by stakeholders and conducting follow-up meetings for clarification and understanding of responses.
- **Gap Analysis and Validation**: Analysing the questionnaires to identify gaps and conducting validation sessions with stakeholders on the findings.
- **Risk Assessment Reporting**: Compiling the findings into a Risk Assessment Report that details the risks and their ratings.

The deliverables from this stage include a controls checklist for vendors and a comprehensive Risk Assessment report.

**For Risk Mitigation**:

- Propose recommendations and create an action plan for risk treatment.
- Review and evaluate proposed actions against the organization s risk acceptance criteria. For the **Cyber TPG Vendor Assessment**:

- Study and evaluate advanced assessment methodologies for vendors, including their effectiveness and applicability.
- Compare assessment methodologies like vBSIMM, SAMM against current vendor risk profiles.
- Evaluate vendors implementation and maintenance of Cloud SIEM solutions. For **Inherent Risk Profiling of the vendors**:

- Review the inherent cyber risk profiles (IRPs) for vendors within scope.
- Present a categorization of the vendors based on risk and determine the necessity of onsite assessments.
- Outline the scope of the assessment domains for the vendors.
- Analyze the alignment of vendor risk profiles with the organization s cybersecurity framework.
- Assess the necessity for an onsite assessment based on the vendor s risk tier and engagement level.
- Develop a comprehensive risk assessment timeline that accounts for the complexity and scope of vendor services.

The deliverables for these stages include detailed Inherent Risk Profiling which encompasses risk categorization, engagement level risk tiering, scheduling for assessments, and the approach and scope for each vendor.
- Min 5 to Max 10 yrs of relevant experience.

**Location**:

- Pune (Onsite role)

**Notice Period**
- Immediate to 30 days.

The roles will start remotely and those selected to convert to Full time would be expected to be onsite in Pune (preferred) or Chennai.

Hybrid - 3 days onsite/2 remote