Third Party Risk Management (TPRM) Analyst
CoreWeave is a specialized cloud provider focused on GPU accelerated use cases including VFX, AI/ML, Batch Processing and Real Time Experiences. We support countless AI/ML services in the text to image, NLP and broader AI/ML space, reducing client’s infrastructure management requirements with our Kubernetes based serverless GPU cloud offerings.
Job Description
The Third Party Risk Management (TPRM) Analyst at CoreWeave will be responsible for supporting the GRC Manager, team members, and internal/external stakeholders with the day-to-day operations of the TPRM Program. The primary focus of this role will be to conduct third-party risk assessments and develop mitigation plans to minimize third-party risks. This role is a high visibility role that will work closely with stakeholders across Security, Legal, Procurement, and Finance.
Core job duties include, but are not limited to:
- Complete third-party risk assessments for all new vendors
- Ensure third-party risk assessments include an in-depth Business Impact Analysis (BIA) and Data Protection Impact Assessment (DPIA), supporting BCP/DR and Privacy programs
- Continually reevaluate vendors based on their criticality level to identify/document any changes that may impact our risk exposure, data privacy, mitigation strategies, etc.
- Coordinate the collection of required security assessment artifacts (e.g., audit reports, privacy policies, compliance documentation, incident response plan, disaster recovery/business continuity plans, etc.) from (new and existing) vendors periodically
- Triage assessments that require technical reviews to Security Engineering
- Prepare and monitor the status of each vendor risk assessment (software, data center landlords, etc.) and communicate the status with key stakeholders regularly
- Update and document due diligence tracking with real-time status and escalate issues and concerns (e.g., oversight deficiencies, program concerns, and open risk items)
- Own and update control evidence related to TPRM to ensure readiness for internal assessments and external audits
- Document program processes and procedures to ensure all updates to the TPRM program are captured and accessible to relevant parties
- Support the sales department in completing customer TPRM questionnaires and being the point of contact for security, governance and IT-related inquiries
- Support technical writing team with public-facing due diligence documentation and customer-facing Trust Center
Desired qualifications:
- Experience conducting third-party risk assessments to identify, document, and mitigate potential risks a third party may introduce
- Strong experience utilizing Jira to track and prioritize incoming vendor requests
- Ability to conduct vendor Business Impact Analysis (BIA) and Data Privacy assessments
- Minimum of 3-5 years of work experience in IT/Security Compliance/Audit function (or equivalent)
- Educational Qualification: Bachelor's in Information Security, Computer Science, or related degree; Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP) Certification or equivalent
- Proven experience in compliance, risk, business continuity, and/or IT security program management
- Familiarity with data privacy regulations and standards (ISO 27701, GDPR, etc.)
- Excellent written communications to internal and external audiences, including senior leadership
- Experience collaborating with cross-functional teams, including legal, procurement, engineering, infrastructure, security, etc.
- Ability to succeed in a team environment or work as an individual contributor
- In-depth knowledge of the security and compliance standards/regulations, specifically SOX, SOC 2, ISO 27001, ISO 27701, NIST 800-53, NIST CSF, FedRAMP, GDPR, PCI DSS and HIPAA
- Understanding of concepts related to information security domains such as Cloud Computing, Data Privacy, Physical Security, Identity and Access Management, Encryption, Vulnerability Management, Incident Response, etc.
Additional qualifications:
- Experience with Vendor Management / Third Party Risk Management Programs for Cloud providers
- Self-starter and requires minimal direction from leadership
- Methodical and diligent with outstanding planning abilities
- Able to meet deadlines and handle multiple priorities
- Strong ability to negotiate with business partners to attain successful outcomes
- Excellent communication skills
- Strong project management skills with the ability to manage several large projects at the same time, keeping them on scope, on budget, and on time
- Ability to present and effectively communicate with all levels of the organization
- Flexible with the ability to multitask, effectively prioritize, and work under pressure
- Advocate of continuous improvement and industry-recognized best practice
Our compensation reflects the cost of labor across several US geographic markets. The base pay for this position ranges from $125,000-$145,000. Pay is based on a number of factors including market location and may vary depending on job-related knowledge, skills, and experience.
The Third Party Risk Management (TPRM) Analyst at CoreWeave will be responsible for supporting the GRC Manager, team members, and internal/external stakeholders with the day-to-day operations of the TPRM Program. The primary focus of this role will be to conduct third-party risk assessments and develop mitigation plans to minimize third-party risks. This role is a high visibility role that will work closely with stakeholders across Security, Legal, Procurement, and Finance.
Core job duties include, but are not limited to:
- Complete third-party risk assessments for all new vendors
- Ensure third-party risk assessments include an in-depth Business Impact Analysis (BIA) and Data Protection Impact Assessment (DPIA), supporting BCP/DR and Privacy programs
- Continually reevaluate vendors based on their criticality level to identify/document any changes that may impact our risk exposure, data privacy, mitigation strategies, etc.
- Coordinate the collection of required security assessment artifacts (e.g., audit reports, privacy policies, compliance documentation, incident response plan, disaster recovery/business continuity plans, etc.) from (new and existing) vendors periodically
- Triage assessments that require technical reviews to Security Engineering
- Prepare and monitor the status of each vendor risk assessment (software, data center landlords, etc.) and communicate the status with key stakeholders regularly
- Update and document due diligence tracking with real-time status and escalate issues and concerns (e.g., oversight deficiencies, program concerns, and open risk items)
- Own and update control evidence related to TPRM to ensure readiness for internal assessments and external audits
- Document program processes and procedures to ensure all updates to the TPRM program are captured and accessible to relevant parties
- Support the sales department in completing customer TPRM questionnaires and being the point of contact for security, governance and IT-related inquiries
- Support technical writing team with public-facing due diligence documentation and customer-facing Trust Center
Desired qualifications:
- Experience conducting third-party risk assessments to identify, document, and mitigate potential risks a third party may introduce
- Strong experience utilizing Jira to track and prioritize incoming vendor requests
- Ability to conduct vendor Business Impact Analysis (BIA) and Data Privacy assessments
- Minimum of 3-5 years of work experience in IT/Security Compliance/Audit function (or equivalent)
- Educational Qualification: Bachelor's in Information Security, Computer Science, or related degree; Certified Information Systems Auditor (CISA) or Certified Information Systems Security Professional (CISSP) Certification or equivalent
- Proven experience in compliance, risk, business continuity, and/or IT security program management
- Familiarity with data privacy regulations and standards (ISO 27701, GDPR, etc.)
- Excellent written communications to internal and external audiences, including senior leadership
- Experience collaborating with cross-functional teams, including legal, procurement, engineering, infrastructure, security, etc.
- Ability to succeed in a team environment or work as an individual contributor
- In-depth knowledge of the security and compliance standards/regulations, specifically SOX, SOC 2, ISO 27001, ISO 27701, NIST 800-53, NIST CSF, FedRAMP, GDPR, PCI DSS and HIPAA
- Understanding of concepts related to information security domains such as Cloud Computing, Data Privacy, Physical Security, Identity and Access Management, Encryption, Vulnerability Management, Incident Response, etc.
Additional qualifications:
- Experience with Vendor Management / Third Party Risk Management Programs for Cloud providers
- Self-starter and requires minimal direction from leadership
- Methodical and diligent with outstanding planning abilities
- Able to meet deadlines and handle multiple priorities
- Strong ability to negotiate with business partners to attain successful outcomes
- Excellent communication skills
- Strong project management skills with the ability to manage several large projects at the same time, keeping them on scope, on budget, and on time
- Ability to present and effectively communicate with all levels of the organization
- Flexible with the ability to multitask, effectively prioritize, and work under pressure
- Advocate of continuous improvement and industry-recognized best practice
Our compensation reflects the cost of labor across several US geographic markets. The base pay for this position ranges from $125,000-$145,000. Pay is based on a number of factors including market location and may vary depending on job-related knowledge, skills, and experience.