REQUIREMENT TEMPLATE – Third-party Information Security Risk and Compliance Analyst

No. of positions

1

Prepared by

Account Name

Proximus – GCC – Bangalore

Service Line

Must have skills - 2 skills which are non-negotiable

• Conduct comprehensive audits of third-party information security policies, procedures, and controls.
• Participate in contract negotiations concerning the third-party information security annex.
• Lead online and in-person meetings with third parties.
• Analyse submitted security questionnaires and documentation to identify and assess potential vulnerabilities and risks. Raise issues promptly and provide mitigation options based on security issues identified.
• Prepare detailed risk assessment reports for senior leadership, providing insights and recommendations for third-party risk reduction.
• Contribute to the continuous improvement of the team's processes based on experience in third-party risk assessment, industry best practices, and internal policies and frameworks.
• Produce clear and structured documentation of processes, meetings, and other relevant activities.
• Initiate and lead improvement projects aimed at enhancing the efficiency and effectiveness of the Vendor Risk Management team.
• Collaborate with other sections within the company to ensure alignment of processes.
• Stay up-to-date with emerging technologies, threats, vulnerabilities, and industry best practices.
• Proficiency in risk management, cybersecurity control frameworks and standards (e.g. NIST RMF, ISO 27001, ISO 28000, CyFun, CCM)
• Desirable skills - 1 skill which is nice to have
• 2+ years' experience in third/party risk management, information security risk management, compliance, or a background in cybersecurity.
• Familiarity with information security processes, including risk assessment, vulnerability management, and incident response.
• Understanding of regulatory requirements (e.g. GDPR, NIS2, DORA)
• Proficiency in risk management, cybersecurity control frameworks and standards (e.g. NIST RMF, ISO 27001, ISO 28000, CyFun, CCM)
• Relevant certifications such as CISA, CISSP, CISM, ISO/IEC 27001Lead Implementer/Auditor, ISO/IEC 28000 Lead Implementer/Auditor, Security+.
• Advanced knowledge of Microsoft Office Suite (Word, Excel, PowerPoint, Outlook) to create professional documentation, presentations, dashboards, prepare statistics calculations, and optimize workflows.
• Knowledge of emerging technologies and their associated risks, especially in AI and cloud computing.
• Experience of using a Governance, Risk, and Compliance (GRC) tool.

Infosys role

Desired experience range

5-7 Years

Location(s) where this position can work out of

Proximus – GCC -BLR

Does this position require working from client office all or some days in the week? If yes pls provide details

Yes. Proximus-GCC-BLR

Is remote working allowed

Any additional things to be checked

Responsibilities and JD in brief along with additional criteria to be considered (if any):

• Conduct comprehensive audits of third-party information security policies, procedures, and controls.
• Participate in contract negotiations concerning the third-party information security annex.
• Lead online and in-person meetings with third parties.
• Analyse submitted security questionnaires and documentation to identify and assess potential vulnerabilities and risks. Raise issues promptly and provide mitigation options based on security issues identified.
• Prepare detailed risk assessment reports for senior leadership, providing insights and recommendations for third-party risk reduction.
• Contribute to the continuous improvement of the team's processes based on experience in third-party risk assessment, industry best practices, and internal policies and frameworks.
• Produce clear and structured documentation of processes, meetings, and other relevant activities.
• Initiate and lead improvement projects aimed at enhancing the efficiency and effectiveness of the Vendor Risk Management team.
• Collaborate with other sections within the company to ensure alignment of processes.
• Stay up-to-date with emerging technologies, threats, vulnerabilities, and industry best practices.
• 2+ years' experience in third/party risk management, information security risk management, compliance, or a background in cybersecurity.
• Familiarity with information security processes, including risk assessment, vulnerability management, and incident response.
• Understanding of regulatory requirements (e.g. GDPR, NIS2, DORA)
• Proficiency in risk management, cybersecurity control frameworks and standards (e.g. NIST RMF, ISO 27001, ISO 28000, CyFun, CCM)
• Excellent analytical and problem-solving skills, with the ability to interpret complex risk data and make informed decisions.
• Attention to detail.
• Strong written and verbal communication skills in English, capability to articulate complex risk concepts to technical and non-technical audiences.
• Capable of conducting professional business communications and effectively handling information security aspects of contract negotiations.
• Experience in aligning team processes with broader organizational goals.
• Proven ability to initiate and drive projects.
• A collaborative mindset and a positive attitude towards working with a diverse team.
• Relevant certifications such as CISA, CISSP, CISM, ISO/IEC 27001Lead Implementer/Auditor, ISO/IEC 28000 Lead Implementer/Auditor, Security+.
• Advanced knowledge of Microsoft Office Suite (Word, Excel, PowerPoint, Outlook) to create professional documentation, presentations, dashboards, prepare statistics calculations, and optimize workflows.
• Knowledge of emerging technologies and their associated risks, especially in AI and cloud computing.
• Experience of using a Governance, Risk, and Compliance (GRC) tool.
• Proficiency in English.
• Experience in the telecommunication domain.