Goal: Manage and mature Humana’s TPRM program towards a robust and effective risk management system where stakeholders can identify, evaluate, mitigate and monitor risks associated with services or goods provided by Humana’s Third-Parties.GRC Tools/Platforms: OneTrust, RSA Archer, Icertis, aSSIST, Bitsight, Blackite, Ms. Suite, Monday.com.• Manage Vendor risk due diligence across TPRM life cycle; Onboarding, Ongoing and Offboarding.• Review completed Inherent Risk Questionnaire (IRQ), SIG Questionnaire, Information Security Agreements (ISAs), and other supporting evidence documentation.• Assess details of controls in independent audit reports such as SOC 2 Type 2, HITRUST, ISO 27001, HIPAA, PCI DSS, Pen-Test etc.• Conduct ongoing assessments, performance monitoring, and real time analysis of threat intelligence reports on third-parties with Bitsight, Black kite, Advisen etc.• Negotiate Information Security Agreements (ISAs), ensuring key security controls and critical provisions are consistent with the scope of engagement.• Participate in project to re-design, implement and mature Humana’s TPRM program to improve vendor management ecosystem, facilitate stakeholder engagement and reduce vendor noncompliance.• Write and present detailed risk assessment report to internal risk team and senior management every week.

Collaborate with security and legal teams to re-structure and develop MUFG’s TPRM Program to comply with federal and state regulatory requirements and emerging threats.GRC Tools/Platforms: ServiceNow, PRIVA, Assist, Coupa, Security Scorecard Blackite, Ms. Suite, Slack.• Collaborated with legal and security teams to draft TPRM policy, review workflow, and implement controls consistent with industry standards and risk-based approach to vendor risk assurance.• Examined and evaluated internal controls in key technology risk areas to ensure compliance with internal policies and applicable framework, procedures, and regulations.• Conducted detailed vendor risk screening, and worked with key stakeholders to identify and evaluate risk before continuing operations with third-parties.• Conducted assessment and re-assessment of vendors periodically and monitored their security practices and compliance with contractual obligations.• Reviewed technologies, processes, documentation and data to identify gaps in the effectiveness of automated tools, security controls and operational standards.• Evaluated internal controls in key technology risk areas to ensure compliance with policies and applicable rules, laws and regulations.

.Assisted to write TPRM policy and procedures, ensuring vendor risk due diligence is consistent with industry standards and emerging threats.• Coordinated multiple third-party due diligence activities from onboarding to offboarding while training team members on industry best practices and regulatory requirements.• Conducted vendor risk assessments including reviewing Inherent Risk Questionnaire (IRQs), Tiering, running security intelligence reports, and reviewing SIG questionnaire.• Analyzed policy documents, reviewed artifacts, evaluated responses to Questionnaire, and followed up on findings.• Monitored status of each third-party security posture and due diligence activity and communicated details to stakeholders.• Participated in HITRUST, ISO, HIPAA, SOC II, and PCI DSS assessments and advised stake stakeholders on emerging security threats.

• Conducted HIPAA audits, served on security controls review committee, and performed general third-party risk due diligence.• Prepared test plans for internal risk assessments, and collaborated with external assessors to facilitate evidence gathering during annual audits.• Reviewed completed security questionnaire and artifacts and tracked issues identified with supporting mitigation measures.• Conducted periodic reassessment of vendors and monitored third-party security practices in line with contractual obligations.• Coordinated the preparation and assessment of controls and artifacts for HITRUST, SOC II, HIPAA and PCI DSS external audits.