Senior Information Security TPRM Analyst

About Us

How This Role Impacts Live Oak and its People

As the Senior Information Security TPRM Analyst, this role supports the execution of Live Oak’s third‑party security risk management activities by performing vendor security due diligence, documenting results, tracking remediation, and producing clear reporting for Information Security, Vendor Management, and Business Unit stakeholders. The role helps ensure third parties are assessed and monitored consistently through onboarding and ongoing review processes, contributes to maintaining relevant documentation (e.g., standards, procedures, and evidence) aligned to internal control expectations and applicable regulatory guidance, and supports customer trust and assurance activities through consistent security documentation and responses.

What You’ll Do at Live Oak

• Execute third‑party information security assessments (initial and periodic), including evidence collection, control evaluation, and documentation of inherent and residual risk
• Support the operation of the third‑party security risk program by following defined procedures, maintaining workpapers, and ensuring assessments are completed within agreed timelines
• Prepare materials and provide analysis to support information security governance forums (e.g., steering committee updates), including status, metrics, and key risk themes
• Maintain and help publish up‑to‑date third‑party security procedures, assessment templates, and supporting documentation
• Identify process improvement opportunities (e.g., workflow, tooling, data quality) and recommend enhancements to increase consistency and efficiency
• Leverage AI-enabled TPRM tools to accelerate intake and analysis (e.g., summarizing vendor evidence, mapping responses to control requirements, and identifying gaps), while validating outputs for accuracy and auditability
• Partner with Legal, Procurement, and Vendor Management to support security due diligence questions and standard contract/exhibit security requirements
• Apply sound judgment, communicate issues early, and document lessons learned to continuously improve assessment quality and outcomes
• Produce regular reporting on third‑party security assessment status, findings, exceptions, and remediation progress for Information Security and risk stakeholders
• Create, stand up, and continuously improve a Customer Trust Program (e.g., trust center content, security evidence library, and standardized customer security questionnaire responses) in partnership with Information Security and business stakeholders
• Contribute to a collaborative and inclusive working environment through effective communication, knowledge sharing, and respectful partnership
• Apply assessment experience to evaluate control design and effectiveness, and clearly document rationale and outcomes
• Coordinate with vendors and internal stakeholders to obtain evidence, clarify responses, and resolve open assessment items
• Monitor for relevant security and third‑party risk topics (e.g., control gaps, recurring issues) and escalate items to appropriate leads with supporting analysis
• Support audits and exams by compiling assessment evidence, responding to information requests, and ensuring third‑party risk documentation is complete and accurate
• Execute the risk‑based vendor assessment approach, including scoping, risk rating support, issue tracking, and remediation follow‑up for partners and service providers
• Document control requirements, map vendor evidence to controls, and identify opportunities to leverage first‑line testing or existing assurance reports (e.g., SOC)
• Support third‑party resiliency reviews by collecting and evaluating business continuity and disaster recovery documentation and tracking gaps
• Coordinate with Information Security, Compliance, Audit, Legal, and HR as needed to complete assessments and respond to third‑party risk-related requests
• Maintain metrics and dashboards (KPIs/KRIs) to measure assessment throughput, timeliness, issue aging, and recurring findings
• Support maintenance of the Cyber Risk register by drafting entries, updating statuses, and preparing summary views of top third‑party risks for stakeholder review
• Follow applicable regulatory requirements and internal policies (including those related to BSA/AML/CIP/OFAC, as relevant to the role) and escalate potential compliance concerns through appropriate channels
• Apply third‑party risk management and information security best practices (e.g., FFIEC guidance) when performing assessments and documenting results
• Maintain ongoing regulatory and policy awareness (including BSA/AML/CIP/OFAC, as applicable) and complete required training

Required Experience

• 5+ years in information security, technology risk, third‑party risk management, IT audit, or a related role
• Strong knowledge of security controls and third‑party risk concepts, including how they apply across applications, infrastructure, data, and business processes
• Working knowledge of information security and third‑party risk management guidance and expectations applicable to financial services (e.g., FFIEC), including evidence and documentation practices
• Hands‑on experience performing vendor due diligence (e.g., questionnaires, SOC report review, policy/evidence review), documenting results, and tracking remediation
• Experience supporting audits/exams by preparing evidence, responding to requests, and communicating assessment details to internal stakeholders
• Working knowledge of continuous monitoring and vendor risk intelligence tools (or ability to learn quickly)
• Knowledge of business continuity planning concepts and the ability to review third‑party resiliency documentation

Preferred Experience

• Strong project coordination, documentation, and written/oral communication skills
• Ability to work effectively with cross‑functional stakeholders (Information Security, Procurement, Legal, Vendor Management, and business owners)
• Experience operating within a third‑party risk management program, including process execution, workflow management, and continuous improvement
• Experience reviewing security terms in vendor contracts/exhibits and partnering with Legal on security requirement questions
• Experience applying banking/financial services security and third‑party risk expectations in day‑to‑day assessment and documentation work

Our Values

• Dedication: Possess a deep commitment to Live Oak Bank’s mission and core values, exemplified through a strong work ethic, adaptability and pride in your work.

• Ownership: Take initiative to deliver positive results by proactively and creatively solving problems, while maintaining a high degree of quality.

• Respect: Treat everyone with courtesy, politeness, and kindness.

• Innovation: Embrace fresh ideas and fearlessly contribute new solutions to emerging or existing problems.

• Teamwork: Foster collaboration, accountability, and trust with others and understand that together, we do more

For a detailed overview of our employee benefits please visit: http://www.liveoakbank.com/careers/

Live Oak Bank is an Affirmative Action and Equal Opportunity Employer, Minorities/Women/Veterans/Disabled. We consider applicants for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, genetic information, veteran status or disability. Equal access to programs, service and employment is available to all persons. Those applicants requiring reasonable accommodation to the application and/or interview process should notify human resources at HumanResources@liveoak.bank.

EEO is the Law

The base pay range for this position is $128,500.00 - $179,900.00 per year. Compensation may also include annual bonuses and long-term incentives, subject to various metrics and company policy. A candidate’s salary is determined by several factors including travel, relevant work experience or skills and expertise.

Please note that we provide at least the minimum requirement of paid sick leave to our employees who reside in states that require employer-paid sick leave, including but not limited to Arizona, California, Colorado, District of Columbia, Maine, Maryland, Massachusetts, Michigan, Nevada, New Jersey, New Mexico, New York, Oregon, Rhode Island, Vermont, and Washington.