Third Party Risk Management (TPRM) Analyst

NO C2C NO C2C NO C2C NO C2C NO C2C NO C2C NO C2C NO C2C NO C2C

Position Title: Third Party Risk Management (TPRM) Analyst
Location: Remote (Preference for Central or West Coast; San Francisco a plus)
Reports To: Director of Information Security
Duration: 6 12 months (potential for extension)

Role Summary

The Third Party Risk Management (TPRM) Analyst will play a key role in protecting the Firm s data and reputation by assessing and monitoring the cybersecurity posture of vendors and other third parties. This individual will manage vendor security reviews from start to finish working proactively with vendors to gather required documentation, leveraging BitSight for continuous monitoring, and coordinating with internal stakeholders for review, approvals, and remediation tracking. The ideal candidate is detail-oriented, self-motivated, and capable of managing multiple assessments while maintaining excellent communication across technical and business teams.

Key Responsibilities

• Vendor Security Assessments: Conduct end-to-end third-party risk assessments, including the review of ISO 27001 certifications, SOC 1 and SOC 2 reports, penetration test results, and security questionnaires.
• BitSight Monitoring: Use BitSight tools to evaluate and continuously monitor vendors cybersecurity posture, flagging potential risks and coordinating follow-up actions.
• Vendor Engagement: Communicate directly with vendors to request evidence, clarify responses, and ensure timely completion of assessments.
• Internal Collaboration: Partner with Information Security, Procurement, and Legal teams to communicate findings, secure approvals, and determine next steps for onboarding or remediation.
• Documentation & Tracking: Maintain detailed records in the vendor risk management system, ensuring all assessments, decisions, and risk ratings are up to date.
• Remediation Oversight: Track and follow up on open issues with vendors, ensuring identified risks are addressed within agreed timelines.
• Process Improvement: Contribute to the enhancement of TPRM processes, workflows, and reporting to increase efficiency and consistency.
• Continuous Learning: Stay informed on cybersecurity threats, evolving regulations, and best practices in vendor and third-party risk management.

Qualifications

• Education: Bachelor s degree in Information Security, Information Technology, Risk Management, or related field (or equivalent experience).
• Experience: Minimum 2 years of experience in vendor risk management, information security, or IT audit.
• Technical Knowledge: Familiarity with common security and privacy frameworks (ISO 27001, NIST CSF, SOC 2 Trust Service Criteria).
• Tools: Experience using BitSight, SecurityScorecard, or similar third-party risk rating platforms.
• Communication: Strong written and verbal communication skills; able to clearly present findings to both technical and non-technical stakeholders.
• Organization: Highly proactive, detail-oriented, and able to manage multiple concurrent assessments with minimal supervision.
• Preferred Industry Experience: Prior work in a law firm, financial services, or other regulated environment.

Preferred Skills

• Knowledge of data privacy regulations (GDPR, CCPA, HIPAA).
• Familiarity with vendor management systems (e.g., Archer, OneTrust, ProcessUnity).
• Professional certifications such as CISA, CRISC, CISSP, or CTPRP.

Engagement Details

This role is ideal for a hands-on, proactive analyst who can balance technical understanding with clear communication and follow-through helping ensure the Firm s vendors meet the highest security and compliance standards.

CIMA Consulting Group is an Equal Opportunity Employer