Job Description

Business Function
Technology and Operations (T&O) enables and empowers the bank with an efficient, nimble and resilient infrastructure through a strategic focus on productivity, quality & control, technology, people capability and innovation. In Group T&O, we manage the majority of the Bank's operational processes and inspire to delight our business partners through our multiple banking delivery channels.

This role is responsible for establishing, implementing, and maintaining a robust third-party risk management program. This role involves overseeing the assessment and continuous monitoring of third-party vendors and partners to identify, evaluate, and mitigate information security, compliance, and operational risks. This role will ensure that third-party relationships adhere to internal policies, industry standards, and regulatory requirements, protecting the organization's assets and reputation.
Key Responsibilities:

• Program Management: Develop, implement, and continuously improve the organization's Third-Party Risk Management (TPRM) framework, policies, procedures, and guidelines.
• Risk Assessment & Due Diligence:

• Perform comprehensive end-to-end and in-depth information security assessments of third parties throughout their lifecycle (onboarding, ongoing, offboarding).
• Conduct due diligence reviews of prospective and existing third-party vendors, assessing their security controls, compliance posture, and operational capabilities.
• Advise and assess security mitigating controls for Network, Server, Endpoint security, Data protection (PII, Cards), Cloud security (Azure/AWS/GCP/OCI), Encryption, and API security.
• Review implementation of standards such as PCI-DSS, PCI-PIN, and PA-DSS as applicable to third parties.
• Continuous Monitoring: Establish and manage processes for the periodic assessment and continuous monitoring of third-party and ecosystem partners' security posture and compliance.
• Risk Mitigation & Advisory:

• Identify potential risks associated with third-party engagements and projects, advise on effective mitigation strategies.
• Provide expert guidance on control implementation for the protection of sensitive data and adherence to security-by-design principles.
• Reporting & Stakeholder Engagement:

• Responsible for audit planning, report review, and reporting on third-party risk posture to senior management and other stakeholders.
• Liaise with business units on new third-party requirements, ensuring risk is considered from the outset.
• Collaborate with internal teams (e.g., Legal, Procurement, IT, CISO team, Group Security) to ensure a consistent and integrated approach to third-party risk management.
• Work with the CISO team on regulatory requirements and submissions pertaining to Digital Payment security for third-party engagements.
• Liaise with business and partners on compliance and regulatory assurance related to third parties.
• Compliance & Standards:

• Ensure third-party engagements comply with relevant laws, regulations, and industry standards.
• Review and validate third-party adherence to recognized security frameworks and standards such as ISMS (ISO 27001), SOC (Service Organization Control reports), and NIST CSF.

Requirements

• Strong understanding and practical experience with Third-Party Risk Management (TPRM) principles and best practices.
• In-depth knowledge of information security domains, including network, server, endpoint, data protection, cloud security (Azure/AWS/GCP/OCI), encryption, and API security.
• Clear understanding of application security assessments, source code review, and VAPT (Vulnerability Assessment and Penetration Testing).
• Strong fundamentals of Defense-in-Depth security and SDLC (Software Development Life Cycle) processes.
• Excellent understanding of industry standards and frameworks such as PCI-DSS, PCI-PIN, PA-DSS, ISMS (ISO 27001), SOC, and NIST CSF.
• Proven ability to conduct security assessments and interpret security reports.
• Strong analytical, problem-solving, and communication skills to effectively engage with internal and external stakeholders.
• Experience with audit planning and reporting.
• Ability to work independently and manage multiple third-party relationships concurrently.

Skills Required