Analyst: Third Party Risk Management (TPRM), Vendor Risk, and Supply Chain

Job DescriptionJob Description

Job Summary

The Security Assurance Analyst-TPRM will be responsible for leading, processing, and executing Third Party Risk Management (TPRM) and Supply Chain security assessments on prospective and existing vendors. This encompasses identifying and tracking remediation action plans, performing remote investigative questioning or audits, and in-person on-site security reviews (at the vendor location). This role plays a key part in protecting the organization from supply chain risks by evaluating vendor security postures, identifying control gaps, and ensuring compliance with regulatory and industry frameworks.

Additionally, you will contribute to the testing and validation of security and IT controls, support internal security assurance initiatives, and assist in compliance activities related to SOC 2, ISO 27001, NIST, or other applicable frameworks and industry best practices.

This role participates in and/or conducts the following, among other duties: raises the level of security awareness among employees and about vendor integration risks, does individual user and group trainings on the vendor relationship owner duties, issues and evaluates security questionnaires to third parties, reviews external vulnerability testing including audit reports and auditor assessments, assists with creating or updating security policies, other internal and external auditor activities, raises internal documentation standards, and moves the organization toward mitigation of information security risks.

* Applicants must be legally eligible to work in the United States to be considered. Visa sponsorship is not available for this role *

Essential Duties and Responsibilities

Third Party Security Risk Management:

• Conduct security risk assessments of third party vendors, including SaaS providers, cloud services, and critical business partners.
• Evaluate vendor security controls, certifications, and attestations (e.g., SOC 2, ISO 27001, SIG, CSA STAR, etc.)
• Identify security risks, document findings, and work with vendors on remediation plans.
• Perform on-site security reviews and audits of critical third parties as needed.
• Maintain and enhance the Third Party Risk Management (TPRM) framework, aligning with industry best practices.
• Partner with Procurement, Privacy, Legal, Software Intake, and Vendor Relationship Owners, and other business teams to integrate security risk considerations into vendor selection and contract negotiations.
• Perform annual re-validation of high-risk vendors to ensure compliance. And review lower risk-rated vendors on recurring cadences.
• Maintain TPRM policies and job aids.
• Train co-workers on processes, practices, and their TPRM responsibilities.

Security Assurance & Compliance Testing:

• Execute security and IT control testing to validate compliance with regulatory requirements and internal policies.
• Support enterprise compliance efforts.
• Assess cybersecurity policies, processes, and controls for effectiveness and alignment with industry frameworks.
• Assist in maintaining security documentation and audit artifacts to support internal and external audits.
• Perform information security assessments, compliance gap analyses, and risk assessments as needed
• Administer TPRM processes in enterprise GRC platform

Supply Chain Risk Assessments:

• Conduct comprehensive supply chain risk assessments, identifying vulnerabilities and developing mitigation strategies.
• Develop and implement strategies to enhance supply chain resilience, including diversification of suppliers and maintaining inventory buffers.
• Collaborate with procurement and logistics teams to ensure continuity of supply during disruptions.
• Assess and manage cyber risks associated with the supply chain, including risks from third-party software and hardware.
• Analyze, recommend, and monitor cybersecurity measures to protect against supply chain attacks.

Collaboration & Reporting:

• Collaborate with Technology, IT Security, Engineering, Privacy, Risk Management, and other assurance or compliance teams to align third party risk management with enterprise security objectives.
• Prepare and deliver risk assessment reports, security scorecards, and executive summaries.
• Generate and QA third party risk metrics (KRIs/KPIs) and provide periodic reporting to leadership.
• Cross-train with team members.
• Train end-users and manage the work of those submitting vendor requests.
• Other duties as assigned.

Travel Requirements: Less than 25%

Supervisory Responsibility

This position has no direct supervisory responsibilities but does serve as a coach and mentor for other positions in the department.

Education

4 Year / Bachelors Degree in a related field

Minimum Certification: One or more of the following Certifications: CISSP, CRISC, CISA, CISM or other equivalents

Certification: One or more of the following Certifications: CSCP or CRISC

Experience

3 years Experience in 3rd party risk management, vendor security assessments, and supply chain risk evaluations including both physical and cyber risks.

2 years Experience in IT security assurance, auditing, and controls testing, and supply chain operations, logistics, and procurement processes.

Knowledge, Skills, and Abilities

• Ability to work with others in both individual and team settings, including presenting content.
• Ability to write workflow diagrams, system documentation, job aids, policies, etc.
• Strong analytical and communication skills to engage with vendors, executives, and technical teams.
• Knowledge and understanding of security frameworks such as NIST 800-53, ISO 27001, SOC 2, HIPAA, or FedRAMP.
• Understanding of security domains, including cloud security, data protection, and security architecture.
• Experience with GRC tools (e.g., Archer, LogicGate, OneTrust, ServiceNow, or similar) is a plus.
• Professional can-do attitude, team player, good interpersonal communication skills, and able to work across company departments. Negotiation with vendors and internal stakeholders.
• Ability to juggle competing or shifting priorities including performing audit support or alternate job duties during non-peak TPRM times while maintaining daily TPRM job function.

Working Conditions and Physical Requirements

• Able to sit, stand, and type for a long period of time in an office environment using computer equipment.
• Dexterity of hands and fingers to operate a computer keyboard, mouse, webcam, tools, and to handle other computer components.
• Employee must have a reliable source of internet service when not on-site.
• Local personnel are currently required to work part of the week in the office.
• On-video attendance is expected for most meetings.

Benefits

• Paid Vacation Time and Paid Sick Time and Paid Holidays
• 401k 6% match with immediate vesting
• Nationwide Medical Insurance plans and coverage (Medical, Dental/Orthodontia, Vision)
• TeleDoc
• HSA company match
• 3 Medical plan options including a Low Deductible PPO Medical Plan Offering
• Employee Assistance Program
• Engaged Employee Resource Groups
• Outstanding Learning and Career Development Opportunities

Pay Range: Actual pay may vary up or down depending on job-related factors which may include knowledge, skills, experience, and location. In addition, this position may be eligible for incentive compensation.

Company Summary

Our Mission…Harnessing the power of , we connect diverse people and enrich the human experience.

Our Vision…To provide global services that expand opportunities, nurture belonging, and empower the world to connect beyond words.

As one of the world’s leading services providers, Sorenson combines patented technology with human-centric solutions. We strive to increase , equity, , and accessibility for underrepresented people through communication solutions for all: call captioning and video relay services, over-video and in-person sign and spoken interpreting, translation, real-time captioning, and post-production services.

Sorenson’s impact vision and plan extends to supporting employment opportunities for diverse employees, customers, and communities. As a minority-owned company, we are committed to expanding opportunities for underserved communities while promoting an inclusive workplace for our own employees.

Equal Employment Opportunity:
Sorenson Communications is an Equal Opportunity, Affirmative Action Employer.