Description

Penn Medicine is dedicated to our tripartite mission of providing the highest level of care to patients, conducting innovative research, and educating future leaders in the field of medicine. Working for this leading academic medical center means collaboration with top clinical, technical and business professionals across all disciplines.

Today at Penn Medicine, someone will make a breakthrough. Someone will heal a heart, deliver hopeful news, and give comfort and reassurance. Our employees shape our future each day. Are you living your life's work?

The role involves on-site presence for the first 6 months with the possibility of remote work after the introductory period is complete .

Summary:

• The Senior Advisor for Third Party Risk Management (TPRM) will play a critical role in overseeing and enhancing the organization's TPRM program. Reporting to the Senior Manager of TPRM, the Senior Advisor will be responsible for developing, implementing, and maintaining strategies, policies, and procedures to manage risks associated with third-party relationships effectively.

Responsibilities:

• Program Development and Governance: Lead the development, implementation, and enhancement of the organization's TPRM program, including policies, standards, and procedures. Establish governance structures and oversight mechanisms to ensure the effectiveness and alignment of TPRM activities with organizational objectives and regulatory requirements.

• Risk Assessment and Mitigation: Conduct comprehensive risk assessments of third-party relationships to identify potential security, compliance, and operational risks. Develop risk mitigation strategies and controls to address identified risks, including contractual clauses, service-level agreements (SLAs), and security requirements.

• Vendor Due Diligence and Selection: Lead the due diligence process for evaluating and selecting new third-party vendors, suppliers, and partners. Develop standardized criteria and evaluation frameworks for assessing potential vendors' security posture, compliance with regulations, financial stability, and reputation.

• Contract Management and Compliance: Oversee the negotiation, review, and management of contracts, agreements, and service-level commitments with third parties. Ensure that contracts include provisions related to data protection, security requirements, incident response, audit rights, and termination clauses.

• Ongoing Monitoring and Assurance: Implement continuous monitoring mechanisms to track third-party activities, performance, and compliance with contractual obligations and security requirements. Conduct periodic audits, assessments, and reviews of third-party security controls and practices to ensure ongoing compliance with organizational policies and standards.

• Incident Response and Remediation: Develop and maintain incident response plans and procedures specific to third-party security incidents or breaches. Collaborate with internal teams and third parties to investigate incidents, mitigate risks, and implement corrective actions to prevent recurrence.

• Stakeholder Engagement and Communication: Communicate cybersecurity risks and mitigation strategies to internal stakeholders, including senior management, business units, and risk owners. Provide regular updates on the status of third-party risk management initiatives and key risk indicators (KRIs) and Establish protocols for reporting, investigating, and remedying security incidents involving third-party relationships.

• Performs duties in accordance with Penn Medicine and entity values, policies, and procedures

• Other duties as assigned to support the unit, department, entity, and health system organization

Education or Equivalent Experience:

• Bachelor's degree. (Required)

• 5+ years of IT experience. (Required)

• 1+ years of Third-Party Cyber Security experience. (Preferred)

• 1+ years of management/leadership experience. (Preferred)

• CISSP - Preferred

• CCSP – Preferred

Skills/Abilities:

• Proven experience (typically 8+ years) in cybersecurity, risk management, or vendor management roles, with a focus on third-party risk management.

• In-depth knowledge of cybersecurity principles, frameworks (e.g., NIST CSF, ISO 27001), and regulatory requirements (e.g., HIPAA, PCI DSS) related to third-party risk management.

• Strong understanding of vendor risk assessment methodologies, security controls, and best practices for managing cybersecurity risks across the vendor lifecycle.

• Excellent communication and interpersonal skills, with the ability to collaborate effectively with cross-functional teams and communicate complex cybersecurity concepts to non-technical stakeholders.

• Demonstrated leadership and project management skills, with the ability to prioritize tasks, manage multiple projects simultaneously, and drive initiatives to successful completion.

• Analytical mindset with the ability to identify, assess, and mitigate cybersecurity risks effectively, including proficiency in risk analysis techniques and tools.

• Self-motivated and goal-oriented with the ability to seize the initiative, garner consensus and develop and implement an effective strategy.

• Strong experience in managing technical and business-facing teams made up of individual with diverse skills and experiences

• Demonstrated ability to establish and maintain strong working relationships with stakeholders, partners, and industry peers.

• Experience in staffing, mentoring, coaching, and managing multiple teams and functions

• Effective communication skills and ability to synthesize complex technical topics for non-technical audiences

We believe that the best care for our patients starts with the best care for our employees. Our employee benefits programs help our employees get healthy and stay healthy. We offer a comprehensive compensation and benefits program that includes one of the finest prepaid tuition assistance programs in the region. Penn Medicine employees are actively engaged and committed to our mission. Together we will continue to make medical advances that help people live longer, healthier lives.

Live Your Life's Work

We are an Equal Opportunity and Affirmative Action employer. Candidates are considered for employment without regard to race, ethnicity, color, sex, sexual orientation, gender identity, religion, national origin, ancestry, age, disability, marital status, familial status, genetic information, domestic or sexual violence victim status, citizenship status, military status, status as a protected veteran or any other status protected by applicable law.

REQNUMBER: 226081