Third Party Security Risk Analyst

Third-Party Security Risk Analyst - Information Security

Why UT Southwestern?

With over 75 years of excellence in Dallas-Fort Worth, Texas, UT Southwestern is committed to excellence, innovation, teamwork, and compassion. As a world-renowned medical and research center, we are looking for strategic thinkers who will help assure the security and compliance of UT Southwestern. With a career in our Information Technology department at UT Southwestern, you will be able to help with our mission to provide exceptional clinical care and create cutting-edge research programs as you grow your IT and security career. We invite you to be a part of the UT Southwestern team where you'll discover a culture of teamwork, professionalism, and a life-changing career!

Job Summary

UT Southwestern is in search of a Third-Party Security Analyst. This position ensures that standards, procedures, and activities align with regulatory mandates and internal policies while actively utilizing Third-Party Risk Management tools. The analyst establishes and enforces vendor security requirements, monitors and reports on vendor compliance with security standards, and recommends actions to reduce and manage risk. Additionally, the analyst conducts regular risk and vulnerability assessments, develops and manages risk mitigation strategies, ensures compliance with cybersecurity laws and standards, participates in incident response and post-incident analysis, assesses cybersecurity governance frameworks, implements continuous monitoring processes, develops and reports on cybersecurity performance metrics, and plays a crucial role in fostering a culture of security awareness within the organization. This position requires at least one related industry certification is required (e.g., CISSP, GIAC, CEH, CISA, CISM, CRISC).

Experience and Education

Minimum Requirements

• Bachelor's degree in information security, risk management, governance, or related field; or equivalent work experience.
• Five (5) years of experience in cybersecurity risk and compliance, Information Security managing third-party vendors, conducting risk assessments, or related security experience.
• The preferred candidate will have diverse experience managing threats by using and administering security tools, systems, vendor partnerships, and analysis processes.
• At least one related industry certification is required (e.g., CISSP, GIAC, CEH, CISA, CISM, CRISC).

Job Duties

Third-Party / Vendor Risk Management:

• The Third-Party Security Analyst ensures that functional standards, procedures, and activities align with regulatory mandates and internal policies, procedures, best practices, and standards.
• Role will include actively leveraging Third-Party Risk Management tools and vendor services as an integral part of the day-to-day program responsibilities.
• The Third-Party Security Analyst will assess, analyze, and interpret operational third-party risk documentation to facilitate third-party risk management in collaboration with vendors and business lines.
• The Third-Party Security Analyst will safeguard information by identifying security risks, leveraging continuous monitoring, assessment activities and overall managing cybersecurity risks associated with third-party vendors.
• The Third-Party Security Analyst will establish, enforce, and monitor security requirements for vendors.
• The Third-Party Security Analyst will monitor, evaluate, and report on vendor compliance with security standards and recommend actions to reduce and manage risk.

IT Systems Risk Assessment, Management, and Cyber Framework Alignment:

• Identify and assess third-party cybersecurity risks to the organization.
• Conduct regular recurring risk assessments and vulnerability assessments.
• Develop third-party risk mitigation strategies and plans.
• Monitor and manage third-party risk mitigation activities.

Compliance Management:

• Stay abreast of relevant cybersecurity laws, regulations, and standards, specifically involving third parties and risks.
• Ensure the organization's compliance with applicable laws and standards. Conduct regular compliance assessments and partner with internal teams.
• Develop and maintain documentation to demonstrate compliance.

Incident Response and Management:

• Act as a core member of the incident response team for third party risk scenarios and incidents.
• Coordinate response efforts during cybersecurity incidents. Conduct post-incident analysis and implement improvements and requirements for third parties.

Security Governance:

• Assess against third-party cybersecurity governance frameworks.
• Ensure appropriate levels of oversight and accountability for controls.

Continuous Monitoring and Improvement:

• Implement continuous monitoring processes for third-party cybersecurity controls.
• Regularly evaluate and update security measures based on evolving threats.
• Participate in lessons-learned sessions to improve cybersecurity posture.
• Security Metrics and Reporting: Develop and report on key cybersecurity performance metrics.
• Communicate third-party cybersecurity status and risks to internal teams.

Security Awareness and Culture:

• Foster a culture of security awareness and responsibility throughout the organization.
• Performs other duties as assigned.

Knowledge, Skills & Abilities

Work requires troubleshooting skills for complex technical environments. Work requires proven experience in cybersecurity governance, risk, and compliance. Strong understanding of cybersecurity laws, regulations, and standards. Experience with risk assessment methodologies and tools. Knowledge of incident response procedures and best practices. Work requires familiarity with vendor risk management frameworks. Work requires excellent oral and written communication skills. Work requires the ability to collaborate with various levels of staff and management. Work requires the ability to multi-task and prioritize projects in a fast-paced environment. Work requires an understanding of compliance-driven environments and established frameworks (e.g., HIPAA, CIS, NIST RMF, etc.). Work requires technical system vulnerability, configuration assessment, and hardening guidance for multiple platforms.

Working Conditions

Work is performed primarily in an office or computer lab/system environment with occasional exposure to noise and moving mechanical and electrical parts.

To learn more about the benefits UT Southwestern offers visit https://www.utsouthwestern.edu/employees/hr-resources/

For general COVID-19 information, applicants should visit https://www.utsouthwestern.edu/covid-19/work-on-campus/

This position is security-sensitive and subject to Texas Education Code •51.215, which authorizes UT Southwestern to obtain criminal history record information. UT Southwestern Medical Center is committed to an educational and working environment that provides equal opportunity to all members of the University community. As an equal opportunity employer, UT Southwestern prohibits unlawful discrimination, including discrimination on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, gender expression, age, disability, genetic information, citizenship status, or veteran status.