Vendor Risk Specialist
1 Hacker Way Menlo Park, CA 94025
The Vendor Risk Manager' s responsibility is to anticipate, identify, monitor, and mitigate risks associated with third-party technology providers. Vendor risk management will include the routine compliance assessment and analysis of vendor information security practices and governance, legal, and industry compliance. In addition, the vendor risk manager is tasked with compiling data and completing documentation related to vendor risk, as well as ensuring that the issues that arise are appropriately captured, assessed, and mitigated to acceptable levels.
- Develop, coordinate, and implement vendor risk management frameworks, policies and processes within a broader enterprise, operational and IT risk management model.
- Coordinate the identification and ranking of vendor risks.
- Coordinate the classification and tiering of vendors by risks and risk impacts.
- Build communication and escalation plans around vendor risk management activities within the enterprise.
- Understand and apply relevant regulatory and legal compliance requirements (under direct supervision of the Legal team partner).
- Manage vendor risks as defined in vendor contracts and in accordance with existing risk management programs and policies.
- Develop, monitor and possibly execute vendor remediation actions and mitigation plans when risks or events are identified.
- Ensure third- (and increasingly, fourth) party vendor regulatory compliance.
- Coordinate the gathering of vendor risk assessment data and prepare risk assessments for critical-related vendors as needed, to be published and communicated to stakeholders.
- Track identified risks and risk events.
- Influence vendors and business partners to ensure compliance with risk management policies.
- Collaborate as appropriate with information security, compliance and/or disaster recovery and business continuity management to maintain an enterprise risk management program.
- Work with regulatory officers and auditors as necessary.
- Communicate identified risk requirements and violations to internal stakeholders (and end users within the business) and responsible vendors while supporting the response to and addressing of these issues.
- A minimum three to five years of experience in vendor risk management and compliance issues, or similar experience managing applications, projects or systems that require identification, evaluation and remediation if risk
- Technical background or demonstrable understanding of a range of operational and IT risks and operations
- Strong business background; experience gathering and interpreting risks and associated impacts in context of financial and operational concerns
- Strong understanding of complex vendor risk-related issues through demonstrated experience managing vendor relationships, information security or regulatory compliance programs, and audits
- Familiarity with local/regional/global industry and government regulations: Sarbanes-Oxley Act, Payment Card Industry Security [PCI] Standards, Health Insurance Portability and Accountability Act [HIPAA] and FedRAMP
Experience influencing third parties and managing vendor relationships
- A Bachelor' s degree in an analytical field is required: general business, economics, psychology, computer science, mathematics, statistics, political science or finance (candidates with significant related experience with a non-analytical degree will be considered)
- MBA or other advanced degree is desirable
- Desired professional qualifications may include:
- Certification in Risk Management Assurance (CRMA)
- Certified Information Systems Auditor (CISA)
- Certified Information Systems Security Professional (CISSP)