Senior Specialist, Information Security, Third Party Risk at ppfa

Planned Parenthood is the nation’s leading provider and advocate of high-quality, affordable sexual and reproductive health care for all people, as well as the nation’s largest provider of sex education. Planned Parenthood organizations serve all people with care and compassion, with respect, and without judgment, striving to create equitable access to health care. Through health centers, programs in schools and communities, and online resources, Planned Parenthood is a trusted source of reliable education and information that allows people to make informed health decisions. We do all this because we care passionately about helping people lead healthier lives.   Planned Parenthood Federation of America (PPFA) is a 501(c)(3) charitable organization that supports the independently incorporated Planned Parenthood affiliates, which operate non-profit health centers across the U.S. PPFA also works to educate the public on and advocate for issues of sexual and reproductive health. Formed as the advocacy and political arm of Planned Parenthood Federation of America, Planned Parenthood Action Fund is a separate non-profit membership organization tax-exempt under section 501(c)(4). The Action Fund engages in educational, advocacy, and limited electoral activity, including grassroots organizing, legislative advocacy, and voter education in furtherance of the Planned Parenthood mission.   Planned Parenthood Federation of America (PPFA) and Planned Parenthood Action Fund seek a knowledgeable and proactive Senior Specialist, Information Security, Third Party Risk. This job reports directly to the Manager, Information Security, Third Party Risk in the Information Security department of PPFA. The Technology Strategy & Services division provides information security policies, procedures, and technical systems in order to maintain the confidentiality, integrity, and availability of all organizational healthcare information systems and their associated data. Purpose: • The Senior Specialist for the Information Security Third Party Risk Management (TPRM) team will be responsible for executing comprehensive information security risk assessments of third-party vendors engaged by PPFA, Affiliate, and Ancillary organizations. This includes evaluating vendors across multiple risk tiers to ensure they meet internal information security policies, HIPAA and PCI DSS requirements, and applicable regulatory standards. The Senior Specialist will thoughtfully analyze vendor-provided documentation, proactively identify potential risks, collaborate with key parties to determine appropriate risk management strategies, and produce detailed and accurate assessment reports to inform business, procurement, and contracting decisions. This role plays a critical part in safeguarding sensitive organizational data by ensuring that all third-party engagements align with PPFA’s privacy, compliance, and cybersecurity expectations and requirements. Delivery: • The Senior Specialist delivers by managing the end-to-end TPRM process for their assigned vendors. This includes initiating and maintaining communications with internal and external partners; reviewing and analyzing security and compliance documentation; identifying and documenting risks and control gaps; and producing formal assessment reports to inform risk management decisions. This role partners with vendors and internal stakeholders to ensure third-party engagements meet established security, privacy, and compliance requirements, and supports continuous improvement through diligent documentation, analysis, and escalation of identified issues. • Initiate required communications in a timely manner and engage directly with key parties to gather needed information, clarify responses, and support risk management efforts. • Review intake/triage responses in collaboration with the TPRM Manager to determine the appropriate evaluation path based on inherent risk indicators. • Adhere to TPRM-defined SLAs, templates, processes, guidelines, requirements, and expectations throughout the TPRM lifecycle process. • Conduct detailed information security risk assessments of third-party vendors across various risk levels (e.g., SaaS, consulting, low-risk), in alignment with strategies and expectations as defined by the Manager and within TPRM documentation. • Evaluate all vendor-provided documentation and responses against internal policies and applicable regulatory and industry standards, including HIPAA, NIST CSF, PCI DSS, and PPFA information security policies. • Produce clear and actionable risk assessment reports that communicate findings to procurement, legal, security, and business stakeholders to support risk management decision-making. • Collaborate with internal partners to advise on vendor-related risks during intake, onboarding, and renewal processes. • Monitor and report on assessment progress, including delays, risk management status, and escalation needs using risk management tools (e.g., Asana, Jira, GRC platforms, ). • Support and contribute to the maintenance of TPRM documentation, templates, and workflows. Engagement: • Engage directly with internal and external partners to facilitate the information gathering process, clarify responses and security documentation, and support resolution of identified risks. • Collaborate with internal stakeholders such as procurement, legal, privacy, and IT to ensure vendor assessments are aligned with contract and compliance requirements. • Partner with internal risk owners to track and follow up on remediation plans, ensuring timely risk management and communication of outstanding items. • Participate in regular team meetings and working groups to share findings, escalate concerns, and contribute to the improvement of TPRM workflows. • Support the TPRM team by maintaining documentation, resource materials, and tools (e.g., Asana, Confluence, Jira, GRC platforms) for transparency and knowledge sharing. • Represent the TPRM function in cross-functional intake or triage discussions, offering risk input for new or renewing vendor relationships. Knowledge, Skills and Abilities (KSAs): • Bachelor’s degree in Cybersecurity, Information Technology, Information Systems, Risk Management, or a related discipline (required). • Relevant coursework or training in data privacy, regulatory compliance, or cyber risk management (preferred). • Industry certifications, CTPRA, CTPRP, CISA (preferred). Obtain industry certification within 1 year of hire (required). • 3–6 years of professional experience in information security, vendor risk management, IT/IS risk, or compliance roles (required). • At least 2 years of experience conducting or supporting third-party/vendor security risk assessments, preferably within a regulated industry (e.g., healthcare, finance, or tech) (required). • Experience reviewing vendor security questionnaires, SOC 2 reports, SIG assessments, or similar compliance documentation. • Familiarity with security frameworks such as NIST CSF, HIPAA Security Rule, PCI DSS, and basic data privacy regulations (e.g., CCPA, GDPR). • Hands-on experience using assessment tracking or GRC platforms (e.g., UpGuard, LogicGate, OneTrust, or spreadsheets with workflow tools like Jira or Asana). • Exposure to working with procurement, legal, privacy, or compliance teams during vendor onboarding or contract review cycles. • Ability to carefully review documentation, identify small errors or gaps in responses, and understand technical security controls and how they apply in a third-party context. • Experience in basic contract management, including reviewing contracts, understanding basic terms and general contract language, especially legal documents that require data privacy and security language. • Ability to work in a dynamic, fast-paced environment, managing competing cross-functional priorities and complex requirements. • Excellent ability to conceive, draft, proofread, and edit written materials quickly, including demonstrated ability to understand and communicate about complex, technical, or sensitive subjects in a clear, concise, and engaging manner. • High proficiency in Google products • Flexibility and ability to adapt to quickly changing priorities and ambiguous situations • Commitment and track record of advancing racial equity in both operations and communications. • Commitment to PPFA’s mission and diversity, equity, and inclusion, particularly surrounding race equity • A deep commitment to Planned Parenthood’s mission of promoting Sexual and Reproductive Health Travel: 0-10% domestic travel, as needed.   Planned Parenthood's cultural ethos, "In This Together", reflects our commitment to building a workplace culture that fosters belonging, promotes learning throughout the employee lifecycle, and recognizes individual contributions to our mission. Planned Parenthood Federation of America participates in the E-Verify program.   Planned Parenthood Federation of America is an equal employment opportunity employer and is committed to maintaining a non-discriminatory work environment, and does not discriminate against any employee or applicant for employment on the basis of race, color, religion, sex, national origin, age, disability, veteran status, marital status, sexual orientation, gender identity, or any other characteristic protected by applicable law. Planned Parenthood Federation of America is committed to creating a dynamic work environment that values diversity and inclusion, respect and integrity, customer focus, and innovation.