Senior Info Security Analyst IND [T500-26675]

About us: We are a highly successful 190-year-old, Fortune 500 commercial property insurance company of 6,000+ employees with a unique focus on science and risk engineering. Businesses worldwide trust our expertise to protect their assets, relying on our comprehensive risk assessments and robust, engineering-based insurance solutions to safeguard against fire, natural disasters, and other perils. Serving over a quarter of the Fortune 500 and major corporations globally, we deliver data-driven strategies that enhance resilience, ensure business continuity, and empower organizations to thrive.

FM India is a strategic location for driving our global operational efficiency. Our presence in India allows us to leverage the country’s talented workforce and advance our capabilities to serve our clients better. We have diverse corporate functions that emphasize research, advanced technologies like AI and analytics, risk engineering, research, finance, marketing, HR, etc. working together to provide innovative solutions and nurture lasting relationships – from co-workers to clients.

Role Title: Sr Info Security Analyst IND Position Summary: FM is seeking a Senior Information Security Analyst with expertise in Third-Party Risk Management (TPRM) and/or Security Controls Testing. In this role, you will play a critical part in protecting FM by assessing risks across external vendors, SaaS platforms, cloud solutions, and internal control environments. Your work will evaluate both the design and operating effectiveness of security controls and, where applicable, how third-party solutions interact with FM systems and data.

This includes reviewing security control environments, internal controls, and solution implementations with a focus on data handling, storage, processing, and system integrations. You will partner closely with business, technology, procurement, and risk stakeholders to identify risks, assess control effectiveness, and recommend practical, business-aligned mitigation strategies. Job Responsibilities: Lead end-to-end third-party risk assessments and/or security control testing activities, including planning, execution, documentation, and reporting.

Perform independent validation of control design and operating effectiveness across internal systems and/or external vendors in alignment with established frameworks and standards. Evaluate vendor security programs, governance, and control environments, as well as internal controls, processes, and supporting evidence to determine effectiveness and maturity. Assess solution architecture, cloud environments (SaaS/PaaS), APIs, data flows, and integration points, or validate controls governing these areas, depending on assignment.

Identify and communicate inherent and residual cyber risks, including issues related to data protection, identity & access management, system connectivity, and external exposure. Review and interpret security documentation, including SOC 1/SOC 2 reports, control testing evidence, audit reports, architecture diagrams, and data flow diagrams. Execute control testing procedures including walkthroughs, sampling, evidence review, and documentation of results in a consistent and repeatable manner.

Document findings clearly, including control gaps, deficiencies, and improvement opportunities, and support remediation tracking and resolution. Recommend practical risk mitigation strategies, including compensating controls, control enhancements, secure design improvements, and contractual safeguards. Partner with business, technology, procurement, and legal teams to support risk acceptance, exception management, and governance activities.

Skill and Experience: Technical: 2-4 years of experience required in cybersecurity, information security, or cyber risk, with experience in third-party risk management (TPRM), security controls testing, IT risk, or audit. General knowledge of operating systems, networks, databases, and application development, including how these components interact within secure enterprise environments. Understanding of IT General Controls (ITGCs), including controls related to: Logical access management, Change management, Computer operations, System and database security controls Exposure to security frameworks such as NIST CSF, ISO 27001, CIS Controls, or SOC-aligned controls.

Soft Skills: Strong verbal and written communication skills, with the ability to clearly document and communicate findings. Strong interpersonal skills and ability to work across business, technology, and risk stakeholders. Ability to manage multiple priorities and coordinate activities effectively.

Demonstrated attention to detail and professional skepticism. Must Have Skills: Third-Party: Third-Party Security Assessment Experience supporting or conducting vendor security reviews or third-party risk assessments. Vendor Control Evaluation Ability to assess vendor security programs, control environments, and governance practices.

Third-Party Artifacts Review Experience reviewing SOC 1/SOC 2 reports, ISO certifications, and other assurance artifacts to identify risk and control gaps. Solution & Integration Risk Awareness Understanding of how third-party solutions integrate with internal systems, including data flows and associated risks. Risk Identification & Communication Ability to identify and communicate vendor-related risks, including data protection and integration risks.

Stakeholder Coordination Ability to partner effectively with procurement, legal, business, and technology teams during assessment activities. Education and Certifications: 4 Year/ bachelor’s degree required. Preferred certifications : CISA, CISM, CISSP Work location: Bengaluru