Description:

Job Title: Vendor Audit | AVP (Third-Party Risk Management Specialist)

Function: BFSI, Investments & Trading / Cyber Security Audit

Experience: 8-15 Years

Location: Mumbai

Role Summary:

The Vendor Audit | AVP is a senior individual contributor role responsible for architecting, implementing, and managing the organization's entire Third-Party Risk Management (TPRM) lifecycle within the highly regulated Banking sector.

This position requires deep technical expertise (815 years) in conducting comprehensive Cyber Security and compliance audits of vendors, focusing on frameworks like PCI-DSS and ISO 27001, and mitigating risks associated with sensitive data and cloud environments.

The incumbent must be Decisive, possess excellent Communication Skills, and report directly on the security and compliance posture of all third-party and ecosystem partners to senior management.

Role and Responsibilities:

TPRM Framework Development & Governance:

- Develop, implement, and continuously improve the organizations Third-Party Risk Management (TPRM) framework, including formal policies, detailed procedures, and operational guidelines, ensuring alignment with regulatory expectations.

- Ensure all third-party engagements comply with relevant laws, regulations, and industry standards, including specific focus on data localization and protection mandates.

Security Assessment & Due Diligence:

- Perform comprehensive, end-to-end, and in-depth information security assessments of third parties across their entire lifecycle (onboarding, ongoing, and offboarding).

- Conduct meticulous due diligence reviews of both prospective and existing third-party vendors, technically assessing their security controls, compliance posture, and operational capabilities.

- Review and validate third-party adherence to recognized security frameworks and standards, including ISMS (ISO 27001), SOC (Service Organization Control reports - Type I/II), and NIST CSF.

Technical Advisory & Controls Validation:

- Advise and technically assess security mitigating controls implemented by vendors for critical domains: Network segmentation, Server hardening, Endpoint security, Data protection (specifically PII, Cardholder Data), Encryption standards (in-transit/at-rest), and API security.

- Review and validate the vendor's implementation of specific payment industry standards, including PCI-DSS, PCI-PIN, and PA-DSS, as applicable to their service delivery and environment.

- Provide expert guidance on control implementation for the protection of sensitive data, ensuring vendors adhere to strict security-by-design principles from the outset.

- Evaluate controls within diverse Cloud security environments (Azure/AWS/GCP/OCI) used by third parties.

Continuous Monitoring & Risk Mitigation:

- Establish and manage robust processes for the periodic assessment and continuous monitoring of third-party security posture and compliance across the entire partner ecosystem.

- Identify potential risks associated with all third-party engagements and projects, providing expert advice on effective, pragmatic mitigation strategies.

Stakeholder Reporting & Coordination:

Audit Planning & Reporting:

- Audit Planning & Reporting: Take ownership of audit planning, perform detailed report reviews, and be responsible for accurate and timely reporting on the overall third-party risk posture to senior management (including the Board and Audit Committee) and other key stakeholders.

Liaison:

- Liaison: Act as the primary liaison with business units on new third-party requirements, ensuring risk is meticulously considered and integrated from the initial planning stages.

Regulatory Support:

- Regulatory Support: Work directly with the CISO team on preparing and managing regulatory submissions pertaining to Digital Payment security for third-party engagements.

Collaboration:

- Collaboration: Collaborate with internal functions (Legal, Procurement, IT, CISO, Group Security) to enforce a unified, consistent, and integrated approach to vendor risk management.

Required Key Skills

- Third-Party Risk Management (TPRM): Extensive, hands-on experience (815 years) developing and executing end-to-end Third Party Risk Management frameworks and programs.

- Audit & Assessment: Proven expertise in conducting in-depth security Audit assessments (technical, procedural, and compliance) of vendors and service providers.

- Compliance Standards: Deep technical knowledge and experience reviewing adherence to global standards: PCI-DSS, ISO 27001, SOC reports, and banking regulations.

- Cyber Security Domains: Strong understanding of security controls across Network, Endpoint, Data Protection, Cloud (Azure/AWS), and API security.

- Vendor Management: Experience in the full Vendor Management lifecycle, from due diligence to offboarding risk mitigation.

- Vulnerability Analysis: Functional understanding of VAPT (Vulnerability Assessment and Penetration Testing) reports and ability to interpret and validate vendor remediation plans.

Preferred Skills

- Professional certifications such as CISSP, CISA, CRISC, CISM, or Cloud Security Certifications (e.g., CCSP, Azure AZ-500).

- Direct experience implementing or managing GRC platforms (e.g., Archer, MetricStream) for TPRM workflows.

- Strong background in managing vendor risk specifically related to payment processing or cloud-based services.

- Legal or contractual review experience related to security clauses (e.g., SLAs, breach notification).

- Post-Graduate/Master's degree in Cyber Security, IT, or Business Administration