Security Third Party Risk Management Analyst

The "Security Third Party Risk Management (TPRM) Analyst" will perform analysis and assessments of external partner relationships, and their documented controls, to determine whether the engagement meets Pan American's risk appetite. Analysis will be conducted based on Federal & State laws and regulations as well as industry best practices. The analyst will be responsible for not only identifying the risks and controls but, will also be responsible for providing innovative mitigation efforts, when needed, to lower the residual risk to the company.
The position reports to the US Group business unit. Job duties will be mostly under the direction of the Corporate Information Security Department to work on tasks for the benefit of US Group. In some cases, there could be some related tasks complementary to this role under the direct direction of US Group Management, in which Information Security guidance is not required.
Able to balance many simultaneous demands, the position must support our Legal and Compliance requirements, while having a consultative approach enabling the dynamic needs of prospective business opportunities, organizational risk appetite, and the core values of Pan-American Life. The position will work closely with our Product teams, Legal, Compliance, Information Security, Internal Audit, Finance, Accounting, and IT departments.
Job Duties:
Perform assessments on internal and external partner information security, cybersecurity, IT architecture and privacy documented controls.

• Review and document current stated controls based on documented controls and other documented pieces of information provided by both internal and external resources.
• Communicate findings with internal stakeholders from both the business line and corporate areas
• Establish or align with a governance framework to assess risk levels based upon adherence to information security, cybersecurity, IT architecture and privacy controls

Remain informed about laws, regulations, policies and best practices as they relate to information security, cybersecurity, IT architecture and privacy - US focused

• Reviews regulatory requirements, identifying gaps and issues within a Group-wide framework to synthesize and consolidate requirements.
• Understand the evolving legal and compliance landscape and the implications to current and future business opportunities with a focus in the US market
• Proactively take action to investigate and communicate possible impacts to existing processes or technologies

Design, develop, and/or recommend approaches to mitigate potential privacy, information security, cybersecurity and IT architecture risks and control gaps

• Communicate proposed solutions with internal and external stakeholders to mitigate the residual risks identified.
• Lead and/or support the implementation of information security, cybersecurity, IT architecture and privacy control initiatives

Third Party Risk Management Governance

• Works with US Group Third Party Risk Management team and other stakeholders to on-board, off-board and perform on-going due diligence and risk mitigation for external and internal resources.

Collaborate with corporate and other business line peers
Education & Experience:
Required: Bachelor's Degree in Computer Science, Information Technology or similar field, 3-5 years' experience in Information Security, cybersecurity, IT architecture and privacy as a lead of Senior Analyst. An additional 4 years related experience may be substituted in lieu of a degree. 5 or more years of experience in oversight of Third-Party engagements with proven experience in process generations, change management and overall, Third Party Risk Management Structure.
Certifications, Licenses & Registrations
Required: None
Preferred: Information Security, cybersecurity, IT architecture, audit or privacy certifications are a plus (GIAC, CISA, CISSP, CQA, CRISC or similar)
Technical skills:

• Fluent in English. Bi-Lingual (Spanish) is a plus.
• Ability to apply cybersecurity, cyber architecture, information security and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, etc.).
• Proven knowledge of Federal and State regulations, laws, policies, procedures, or governance relevant to cybersecurity, information security, IT architecture and privacy for all infrastructure types.
• Proven knowledge of Personal Health Information (PHI) data security standards.
• Proven knowledge of Personally Identifiable Information (PII) data security standards.
• Proven knowledge of Payment Card Industry (PCI) data security standards.
• Proven knowledge of Third PartyRisk Management processes, procedures, and framework (e.g., methods for assessing and mitigating risk).
• Skill in conducting audits or reviews of internal and external processes and technical systems.
• Ability to design and conduct valid and reliable assessments.
• Skill in evaluating the adequacy of security and privacy designs and their implementation.
• Proven knowledge of systems security testing and evaluation methods.
• Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• Understanding of Business Continuity / Disaster Recovery management principles.
• Ability to relate strategy, business, and technology in the context of organizational dynamics.

Soft skills:

• Ability to manage a large number of initiatives at the same time and prioritize accordingly
• Skill in preparing plans and related correspondence.
• Ability to think critically.
• Consultative mindset
• Ability to collaborate effectively with both internal and external parties.
• Ability to exercise judgment and operate effectively under ambiguous circumstances.
• Skill in interfacing with customers and business partners.
• Ability to apply collaborative skills and strategies to risk assessments, remediation efforts and change management.