Business Analyst (Third-Party Security & Privacy Risk Management)
Jobs via Dice · United States
- Hybrid
- Full-time
- $85,000 / year
- United States
Job highlights
- Analyze and manage third-party security/privacy risks.
- Develop data inventories and risk tiering models.
- Collaborate with security, legal, and business teams.
- Ensure patient data protection for a new initiative.
- This is a 6-month contract role.
About the role
Business Analyst Third-Party Security and Privacy Risk Management
Dice is the leading career destination for tech experts at every stage of their careers. Our client, Talent Groups, is seeking the following. Apply via Dice today!
Duration: 6 months to start
Job Description
The Third Party Risk Management Analyst / Business Analyst (BA) is a temporary contractor supporting the Patient Trust initiative by identifying, strengthening oversight, accountability, and risk management of third-party processors that store, access, or handle patient data (including PHI/PII as applicable). The BA partners with Security, Privacy, Procurement, Legal, Risk, and business owners to define requirements, analyze current state and deliver foundational governance artifacts such as a unified third-party patient data inventory, a vendor lookback plan, and a risk-tiering model.
Key Responsibilities
- Deliver Phase 1 foundations for Workstream 3: translate the deck deliverables into requirements, detailed process steps, owners, and measurable outputs across the Vendor Lookback Plan, Unified Third-Party Patient Data Inventory, and Risk-Tiering Model.
- Vendor Lookback Plan (Apr-Nov): build the initial vendor universe: coordinate OneTrust pull, LeanIX pull, and define comparison logic to establish the starting population of potential patient-data vendors.
- Identify likely patient-data service areas: perform procurement taxonomy review, category classification, and targeted vendor list requests to focus on service areas most likely to process patient data.
- Consolidate and normalize the master vendor list: merge OneTrust/LeanIX/Procurement sources; deduplicate; standardize vendor names; and capture baseline context (service description, business owner, system/app linkage as available).
- Confirm patient data processing (in-scope determination): execute desktop validation and drive targeted business owner confirmations to finalize binary in-scope / out-of-scope decisions.
- Operationalize risk-based lookback triggers: define and document trigger logic (time since review, data sensitivity, volume, access level, criticality) and apply it to the in-scope vendor set to determine reassessment needs.
- Drive formal approval of the lookback methodology: prepare decision materials and facilitate approvals for scope, triggers, and prioritization logic with Workstream 3 stakeholders.
- Deliver the Unified Third-Party Patient Data Inventory (Jul-Nov): ensure the inventory captures required outputs (normalized vendor name, business owner, service description, patient data involvement yes/no, data types, geographic footprint, and risk tier once established).
- Build the Risk-Tiering Model (Aug-Nov) and prioritized lookback queue: define tier inputs (sensitivity, volume, access, criticality, time since review), group vendors into high/medium/low tiers tied to review expectations, and create an execution queue aligned to capacity, phased waves, and future automation.
- Support Phase 2 execution (Oversight & Monitoring): support conduct of lookback assessments and operationalization of the Third-Party Assurance Program (annual security & privacy reviews, evidence-based control testing, SOC 2 / ISO 27001 intake review processes).
- Continuous monitoring of critical vendors: help define the monitoring approach using questionnaires, external signals, and/or integrated vendor-risk tools; document thresholds, cadence, escalation paths, and reporting.
- Third-Party Incident Response Integration: define and document vendor notification and cooperation expectations within defined timeframes for patient data/PHI exposure events; align playbooks and handoffs with Security Incident Response and Privacy.
Required Qualifications
- 5+ years of business analysis experience delivering process, data, and governance outcomes in regulated environments.
- Hands-on experience with third-party / vendor security risk management (TPRM), including risk assessments, evidence collection, remediation tracking, and stakeholder communications.
- Strong understanding of security and privacy fundamentals as they relate to third parties (e.g., access, data handling, encryption, incident response, audit artifacts).
- Demonstrated ability to build and maintain inventories or registries (vendors, applications, data flows) with attention to data quality, normalization, and reporting.
- Proficiency with requirements elicitation/documentation techniques (workshops, interviews, user stories, acceptance criteria) and process mapping.
- Excellent written and verbal communication skills; ability to translate technical and control concepts into business-friendly language.
- Experience working cross-functionally with Security, Privacy, Procurement/Vendor Management, Legal, IT, and business owners.
Preferred Qualifications
- Experience supporting healthcare data programs and/or familiarity with HIPAA/HITECH concepts (or equivalent healthcare privacy/security frameworks).
- Experience reviewing third-party audit reports and certifications (SOC 2 Type II, ISO 27001, NIST Privacy Framework, ISO 27701) and translating results into risk decisions.
- Experience with TPRM and GRC tooling and/or enterprise inventory sources (e.g., OneTrust, LeanIX, procurement systems, vendor-risk platforms).
- Experience defining risk tiering methodologies and prioritization queues aligned to capacity and operational realities.
- Familiarity with contract/security addenda requirements and third-party incident notification language.
- Project delivery experience in Agile, hybrid, or waterfall environments; comfort with backlog management and delivery planning.
Key skills/competency
- Third-Party Risk Management
- Business Analysis
- Data Inventory
- Risk Tiering Model
- Vendor Lookback Plan
- Security Fundamentals
- Privacy Fundamentals
- HIPAA/HITECH
- Requirements Elicitation
- Process Mapping
Skills & topics
- Business Analyst
- Third-Party Risk Management
- Security Risk
- Privacy Risk
- Data Inventory
- Vendor Management
- Risk Assessment
- HIPAA
- HITECH
- TPRM
How to get hired
- Tailor your resume: Highlight 5+ years in business analysis, TPRM, and regulated environments.
- Showcase relevant skills: Emphasize experience with data inventories, risk assessments, and cross-functional collaboration.
- Address preferred qualifications: Mention healthcare data programs, HIPAA/HITECH, and TPRM/GRC tools if applicable.
- Prepare for interviews: Be ready to discuss translating technical concepts and your experience in risk management.
- Apply strategically: Apply via Dice to ensure your application reaches the Talent Groups hiring team.
Technical preparation
Practice data normalization and inventory creation techniques.,Review security and privacy fundamentals for third parties.,Familiarize with TPRM and GRC tools like OneTrust.,Study HIPAA/HITECH concepts and frameworks.
Behavioral questions
Describe a complex risk management challenge you solved.,How do you ensure data accuracy in large inventories?,How do you translate technical concepts to business stakeholders?,Share an experience managing cross-functional project priorities.
Frequently asked questions
- What is the primary goal of the Third Party Risk Management Analyst role at Talent Groups?
- The primary goal is to support the Patient Trust initiative by strengthening the oversight, accountability, and risk management of third-party processors handling patient data, including PHI/PII.
- What kind of data will the Business Analyst be working with in this role?
- The Business Analyst will work with patient data, including Protected Health Information (PHI) and Personally Identifiable Information (PII), as handled by third-party processors.
- What are the key deliverables for this Business Analyst position?
- Key deliverables include a unified third-party patient data inventory, a vendor lookback plan, and a risk-tiering model, along with supporting Phase 2 execution and continuous monitoring.
- What experience is required for this Business Analyst role?
- Required experience includes 5+ years in business analysis within regulated environments, hands-on TPRM, understanding of security/privacy fundamentals, and ability to build inventories.
- Is this a remote or on-site position?
- The job description does not explicitly state the work arrangement, but typically contractor roles of this nature might be hybrid or remote depending on the client's needs. Further clarification should be sought during the application process.
- What is the duration of this contract role?
- This is a temporary contractor role with an initial duration of 6 months.
- What kind of tooling experience is preferred for this Business Analyst role?
- Preferred tooling experience includes TPRM and GRC platforms, as well as enterprise inventory sources like OneTrust, LeanIX, and procurement systems.
- Does this role require knowledge of healthcare-specific regulations?
- Experience supporting healthcare data programs and familiarity with HIPAA/HITECH concepts are preferred qualifications, indicating a strong advantage if you have this knowledge.
- How can I best tailor my resume for the Business Analyst role?
- Tailor your resume to highlight your 5+ years of business analysis experience, specific work in third-party risk management, data inventory creation, and experience in regulated or healthcare environments.