Business Analyst (Third-Party Security & Privacy Risk Management)

Duration: 6 months to start

Job Description:
The Third Party Risk Management Analyst / Business Analyst (BA) is a temporary contractor supporting the Patient Trust initiative by identifying, strengthening oversight, accountability, and risk management of third-party processors that store, access, or handle patient data (including PHI/PII as applicable). The BA partners with Security, Privacy, Procurement, Legal, Risk, and business owners to define requirements, analyze current state and deliver foundational governance artifacts such as a unified third-party patient data inventory, a vendor lookback plan, and a risk-tiering model.

Key Responsibilities:

• Deliver Phase 1 foundations for Workstream 3: translate the deck deliverables into requirements, detailed process steps, owners, and measurable outputs across the Vendor Lookback Plan, Unified Third-Party Patient Data Inventory, and Risk-Tiering Model.
• Vendor Lookback Plan (Apr-Nov): build the initial vendor universe: coordinate OneTrust pull, LeanIX pull, and define comparison logic to establish the starting population of potential patient-data vendors.
• Identify likely patient-data service areas: perform procurement taxonomy review, category classification, and targeted vendor list requests to focus on service areas most likely to process patient data.
• Consolidate and normalize the master vendor list: merge OneTrust/LeanIX/Procurement sources; deduplicate; standardize vendor names; and capture baseline context (service description, business owner, system/app linkage as available).
• Confirm patient data processing (in-scope determination): execute desktop validation and drive targeted business owner confirmations to finalize binary in-scope / out-of-scope decisions.
• Operationalize risk-based lookback triggers: define and document trigger logic (time since review, data sensitivity, volume, access level, criticality) and apply it to the in-scope vendor set to determine reassessment needs.
• Drive formal approval of the lookback methodology: prepare decision materials and facilitate approvals for scope, triggers, and prioritization logic with Workstream 3 stakeholders.
• Deliver the Unified Third-Party Patient Data Inventory (Jul-Nov): ensure the inventory captures required outputs (normalized vendor name, business owner, service description, patient data involvement yes/no, data types, geographic footprint, and risk tier once established).
• Build the Risk-Tiering Model (Aug-Nov) and prioritized lookback queue: define tier inputs (sensitivity, volume, access, criticality, time since review), group vendors into high/medium/low tiers tied to review expectations, and create an execution queue aligned to capacity, phased waves, and future automation.
• Support Phase 2 execution (Oversight & Monitoring): support conduct of lookback assessments and operationalization of the Third-Party Assurance Program (annual security & privacy reviews, evidence-based control testing, SOC 2 / ISO 27001 intake review processes).
• Continuous monitoring of critical vendors: help define the monitoring approach using questionnaires, external signals, and/or integrated vendor-risk tools; document thresholds, cadence, escalation paths, and reporting.
• Third-Party Incident Response Integration: define and document vendor notification and cooperation expectations within defined timeframes for patient data/PHI exposure events; align playbooks and handoffs with Security Incident Response and Privacy.

Required Qualifications:

• 5+ years of business analysis experience delivering process, data, and governance outcomes in regulated environments.
• Hands-on experience with third-party / vendor security risk management (TPRM), including risk assessments, evidence collection, remediation tracking, and stakeholder communications.
• Strong understanding of security and privacy fundamentals as they relate to third parties (e.g., access, data handling, encryption, incident response, audit artifacts).
• Demonstrated ability to build and maintain inventories or registries (vendors, applications, data flows) with attention to data quality, normalization, and reporting.
• Proficiency with requirements elicitation/documentation techniques (workshops, interviews, user stories, acceptance criteria) and process mapping.
• Excellent written and verbal communication skills; ability to translate technical and control concepts into business-friendly language.
• Experience working cross-functionally with Security, Privacy, Procurement/Vendor
• Management, Legal, IT, and business owners.

Preferred Qualifications:

• Experience supporting healthcare data programs and/or familiarity with HIPAA/HITECH concepts (or equivalent healthcare privacy/security frameworks).
• Experience reviewing third-party audit reports and certifications (SOC 2 Type II, ISO 27001, NIST Privacy Framework, ISO 27701) and translating results into risk decisions.
• Experience with TPRM and GRC tooling and/or enterprise inventory sources (e.g., OneTrust, LeanIX, procurement systems, vendor-risk platforms).
• Experience defining risk tiering methodologies and prioritization queues aligned to capacity and operational realities.
• Familiarity with contract/security addenda requirements and third-party incident notification language.
• Project delivery experience in Agile, hybrid, or waterfall environments; comfort with backlog management and delivery planning.

Talent Groups is an equal opportunity employer that values diversity and inclusion. All qualified applicants will receive consideration without regard to protected characteristics. The listed compensation range represents a good-faith estimate and may vary based on experience, skills, education, certifications, market conditions, client budget, and location, in accordance with applicable pay transparency laws.