Third Party Risk Management Lead

Location: NTCC
Job Type: Full Time

Department: Cybersecurity
Reports to: GRC Manager

Job Summary:

The Third-Party Risk Management (TPRM) Lead will be responsible for developing, implementing, and managing a comprehensive third-party risk management program. This role will ensure that all external vendors, suppliers, and partners meet the organization’s security, compliance, and operational risk requirements. The TPRM Lead will work closely with procurement, legal, Iarnród Éireann ICT, Group IT, The cyber team, and other business units to assess, monitor, and mitigate third-party risks effectively and will be part of a growing risk management function that plays a crucial role in protecting the organization from third-party threats.

Key Responsibilities:

• Enhance the third-party risk management framework that aligns with regulatory, legal, and business requirements.
• Conduct initial and ongoing risk assessments of third-party vendors, ensuring compliance with industry standards and best practices.
• Develop and maintain ongoing monitoring mechanisms for third-party risks, ensuring timely remediation of identified issues.
• Conducting in-depth supplier IT risk assessments by reviewing supplier answers to the cyber supplier questionnaire, documenting controls and identifying gaps and inconsistencies.
• Developing a new, streamlined onboarding process using workflow automation, rules, formulas, and interactive questionnaires, significantly reducing onboarding time and automating third-party vendor risk profiling.
• Conduct internal scoping assessments with business and project owners to accurately tier suppliers and categorize them based on risk levels and business criticality.
• Performing in depth due diligence reviews on vendors to proactively identify any potential risks associated with services offered to Iarnród Éireann. These reviews will cover risk and gap assessments, threat profiling and analysis, security incident history reviews and thorough evaluations of supplier policies and procedures, current security controls, third party pen testing reports, vulnerability management reports, and information security reports such as SOC2 Reports, NIST or ISO 27001 reports, PCI DSS etc).
• Manage relationships with large third-party suppliers involved in transformative, high-impact projects and Business as usual activities for Iarnród Éireann. This included facilitating collaboration between key business owners, procurement, architecture, privacy, and the suppliers themselves.
• Conduct AI risk assessments on suppliers AI models to ensure Iarnród Éireann’s sensitive data is ring fenced and not used to train other models.
• Conducting specific risk assessments on suppliers utilizing OT, IoT, and ML technologies to ensure compliance with data protection and regulatory requirements.
• Developing and implementing remediation plans for identified security gaps working directly with vendors to enforce corrective actions
• Maintaining detailed records of vendor assessments, risk profiles and mitigation plans to ensure transparency and regulatory compliance.
• Performing technical security architecture reviews to identify potential vulnerabilities impacting security principles, collaborating with the architecture team to confirm and address these vulnerabilities
• Work with internal stakeholders (procurement, legal, IT, compliance) to integrate third-party risk considerations into vendor selection and contract management processes.
• Responsible for confirming the Inherent Risks /Residual Risks and the effectiveness of Supplier security measures and controls.
• Reviewing and analysing the daily vulnerability reports generated by the third party risk management tool. Confirm reported vulnerabilities and report to responsible teams.
• Review the daily threat intelligence report generated by TI reporting tools
• Ensure that third-party risk management practices adhere to relevant regulations (e.g., GDPR, ISO 27001, NIST, etc.).
• Establish procedures for responding to third-party risk incidents, ensuring minimal impact on business operations working closely with the security operations lead and business continuity lead.
• Develop and present risk reports to senior management, highlighting key risks, trends, and mitigation strategies.
• Leverage tools and technologies to enhance third-party risk assessment, monitoring, and reporting capabilities.

Skills and Experience

• Excellent analytical and problem-solving abilities.
• 5+ years of experience in third-party risk management, vendor management, IT risk, compliance, or a similar role.
• Strong communication and stakeholder management skills.
• Experience with risk assessment tools and methodologies.
• Ability to work independently and manage multiple priorities

Required Qualifications:

• Bachelor's or Master’s degree in Risk management, Cybersecurity, Business Information Systems, or a related field.
• Strong understanding of third-party risk management frameworks, cybersecurity principles, and regulatory requirements.
• Relevant certifications (e.g., CISM, CISA, CISSP, CRISC) are a plus.

Salary Scale – Ungraded Executive Level 4C