Summary: Under general direction of the Manager, IT&S Third-Party Governance & Assurance, the IT&S Third-Party Governance & Assurance Analyst II (Intermediate) operates the organization s Vendor Management Office (VMO) and third-party risk management capabilities. Collaborates with stakeholders across IT, procurement, security, legal, compliance, and operations to assess vendor capabilities, ensure contracts align with IT and security requirements, and continuously improves IT vendor management capabilities. Applies in-depth knowledge of information technology, cybersecurity, and healthcare regulations (e.g., HIPAA, PCI DSS) to ensure that external IT services meet the organization s compliance, risk, and operational standards. Works to ensure VMO and third-party risk management processes efficiently and effectively achieve the organization s IT and cybersecurity objectives. Provides thought leadership and guidance to level I Analysts. Minimum Qualifications: 1. Formal Education Required: a. Bachelor s Degree in Computer Science, Cybersecurity, IT, or Engineering or equivalent combination of education and/or experience. 2. Experience & Training Required: a. Five (5) years of combined experience in information technology, cybersecurity, vendor management, or third-party risk management. b. Preferred experience in a healthcare environment with exposure to HIPAA, PCI DSS, or other relevant regulations. c. Certifications preferred: i. ITIL Foundation (or equivalent) d. Certifications preferred: i. CompTIA Security ii. ISC2 HCISSP iii. ISACA COBIT Foundations 3. Other Skills, Competencies and Qualifications: a. Intermediate knowledge of laws, policies, procedures, and governance structures relevant to cybersecurity and third-party risk management in the healthcare and public health sector (e.g., HIPAA, PCI DSS). b. Intermediate knowledge of risk management processes (e.g., methods for assessing and mitigating vendor risk) and their application to third-party evaluations. c. Intermediate knowledge of core cybersecurity principles, cyber threats, and vulnerabilities as they relate to supply chain and third-party services. d. Intermediate knowledge of IT procurement and contract management principles, including the ability to review and interpret vendor service agreements, data handling agreements, and audit reports (e.g., SOC 2). e. Intermediate knowledge of supply chain risk management practices, including identification and evaluation of potential vendor risks (financial, reputational, operational, and security-related). f. Intermediate knowledge of healthcare operations, clinical workflows, and the organization s foundational business processes. g. Basic knowledge of system life cycle management principles, including software security and usability. h. Basic knowledge of the organization s enterprise information technology (IT) and cybersecurity goals and objectives. i. Basic knowledge of enterprise incident response program, roles, and responsibilities. j. Intermediate skill in contract negotiation and vendor relationship management, including experience working closely with legal and procurement teams to negotiate favorable contract terms, resolve vendor disputes, and build long-term strategic partnerships with key IT suppliers. k. Intermediate skill in problem-solving to identify root causes of vendor-related issues and recommend effective remediation strategies. l. Intermediate skill in evaluating the trustworthiness of the supplier and/or product. m. Intermediate skill in technical writing. n. Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. o. Ability to mentor junior analysts by providing guidance and knowledge-sharing, and by promoting best practices in vendor risk management. p. Ability to apply critical reading/thinking skills. q. Ability to evaluate information for reliability, validity, and relevance. r. Ability to