grc tprm

Governance, Risk, and Compliance (GRC) Specialist Third-Party Risk Management & Training

Overview

We are seeking a detail-oriented and highly motivated Governance, Risk, and Compliance (GRC) Specialist with a focus on Third-Party Risk Management (TPRM) and security training. This role is critical in ensuring that our organization's vendor relationships, cloud/SaaS engagements, and internal processes align with regulatory requirements, industry frameworks, and internal policies. The ideal candidate will combine deep knowledge of risk frameworks with hands-on experience in vendor security assessments, compliance management, and the creation of effective security awareness and training programs.

Key Responsibilities

• Third-Party Risk Lifecycle Management – Manage the full lifecycle of third-party risk management, from onboarding to continuous monitoring and offboarding, ensuring vendor risk posture meets organizational risk appetite.
• Vendor Security Assessments – Conduct initial and ongoing security assessments of vendors, including reviewing questionnaires (e.g., SIG), SOC reports (SSAE18, SOC 2), penetration test results, and vendor security documentation.
• Cloud/SaaS Security Evaluation – Evaluate SaaS and cloud-based solutions for compliance with security policies, contractual requirements, and relevant frameworks (ISO 27001, NIST CSF, CSA CCM).
• Risk Identification & Remediation – Identify security and privacy risks in vendor services, recommend mitigation strategies, track remediation efforts, and validate closure of identified gaps.
• Contractual Security Requirements – Collaborate with Legal and Procurement to negotiate and review security clauses, data protection addendums (DPA), and Information Protection Addendums (IPA).
• Governance & Compliance Alignment – Ensure TPRM processes are aligned with applicable regulations (GDPR, CCPA, HIPAA, SOX) and industry standards (ISO, NIST, PCI DSS).
• Risk Reporting & Metrics – Maintain an up-to-date vendor risk register and produce detailed reports, dashboards, and executive summaries for leadership, regulators, and auditors.
• Policy & Framework Development – Assist in designing, implementing, and enhancing TPRM and GRC policies, standards, and procedures.
• Audit & Regulatory Support – Support internal and external audits, providing evidence and ensuring corrective actions are implemented on time.
• Process Optimization – Identify opportunities to enhance TPRM processes using automation, AI, and GRC tools (e.g., Archer, ServiceNow GRC, ProcessUnity, Prevalent).
• Security Awareness & Training – Develop and deliver targeted security awareness and GRC training programs for employees, focusing on vendor risk, compliance obligations, and data protection.
• Stakeholder Engagement – Partner with security engineering, risk, legal, procurement, and business units to ensure cohesive risk management strategies.
• Incident Management Support – Collaborate with the SOC and incident response teams when a vendor-related incident occurs, including forensic review and contractual notification obligations.
• Continuous Improvement & Benchmarking – Stay informed about emerging risks, regulatory changes, and industry best practices to enhance the TPRM program.
• Regulatory Intelligence – Track and interpret evolving regulatory requirements that may impact vendor relationships and adjust processes accordingly.
• Training Evaluation – Measure the effectiveness of training programs through assessments, simulations, and user feedback to ensure continuous improvement.

Required Qualifications

• Bachelor's or Master's degree in Information Security, Risk Management, or related discipline.
• 3–7 years of experience in GRC, third-party risk management, or vendor security assurance roles.
• Strong knowledge of frameworks and standards (ISO 27001/2, NIST CSF, SOC 2, PCI DSS).
• Experience with GRC and TPRM platforms (RSA Archer, ServiceNow GRC, ProcessUnity, MetricStream).
• Familiarity with cloud and SaaS security principles.
• Excellent communication, negotiation, and stakeholder management skills.
• Ability to translate technical risks into business impact for senior leadership.

Preferred Certifications

• Certified Third Party Risk Professional (CTPRP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Security Professional (CISSP)
• ISO 27001 Lead Auditor / Lead Implementer
• Certified Information Privacy Professional (CIPP)