Sr Info Security Analyst IND

About us: We are a highly successful 190-year-old, Fortune 500 commercial property insurance company of 6,000+ employees with a unique focus on science and risk engineering. Businesses worldwide trust our expertise to protect their assets, relying on our comprehensive risk assessments and robust, engineering-based insurance solutions to safeguard against fire, natural disasters, and other perils. Serving over a quarter of the Fortune 500 and major corporations globally, we deliver data-driven strategies that enhance resilience, ensure business continuity, and empower organizations to thrive.

FM India is a strategic location for driving our global operational efficiency. Our presence in India allows us to leverage the countrys talented workforce and advance our capabilities to serve our clients better. We have diverse corporate functions that emphasize research, advanced technologies like AI and analytics, risk engineering, research, finance, marketing, HR, etc. working together to provide innovative solutions and nurture lasting relationships from co-workers to clients.

Role Title: Sr Info Security Analyst IND Position Summary: FM is seeking a Senior Information Security Analyst with expertise in Third-Party Risk Management (TPRM) and/or Security Controls Testing. In this role, you will play a critical part in protecting FM by assessing risks across external vendors, SaaS platforms, cloud solutions, and internal control environments. Your work will evaluate both the design and operating effectiveness of security controls and, where applicable, how third-party solutions interact with FM systems and data.

This includes reviewing security control environments, internal controls, and solution implementations with a focus on data handling, storage, processing, and system integrations. You will partner closely with business, technology, procurement, and risk stakeholders to identify risks, assess control effectiveness, and recommend practical, business-aligned mitigation strategies Job Responsibilities: Lead end-to-end third-party risk assessments and/or security control testing activities, including planning, execution, documentation, and reporting. Perform independent validation of control design and operating effectiveness across internal systems and/or external vendors in alignment with established frameworks and standards.

Evaluate vendor security programs, governance, and control environments, as well as internal controls, processes, and supporting evidence to determine effectiveness and maturity. Assess solution architecture, cloud environments (SaaS/PaaS), APIs, data flows, and integration points, or validate controls governing these areas, depending on assignment. Identify and communicate inherent and residual cyber risks, including issues related to data protection, identity & access management, system connectivity, and external exposure.

Review and interpret security documentation, including SOC 1/SOC 2 reports, control testing evidence, audit reports, architecture diagrams, and data flow diagrams. Execute control testing procedures including walkthroughs, sampling, evidence review, and documentation of results in a consistent and repeatable manner. Document findings clearly, including control gaps, deficiencies, and improvement opportunities, and support remediation tracking and resolution.

Recommend practical risk mitigation strategies, including compensating controls, control enhancements, secure design improvements, and contractual safeguards. Partner with business, technology, procurement, and legal teams to support risk acceptance, exception management, and governance activities. Skill and Experience: Technical; 2-4 years of experiencerequired in cybersecurity, information security, or cyber risk, with experience in third-party risk management (TPRM), security controls testing, IT risk, or audit.

General knowledge of operating systems, networks, databases, and application development, including how these components interact within secure enterprise environments. Understanding of IT General Controls (ITGCs), including controls related to: Logical access management, Change management, Computer operations, System and database security controls Exposure to security frameworks such as NIST CSF, ISO 27001, CIS Controls, or SOC-aligned controls. Soft Skills: Strong verbal and written communication skills, with the ability to clearly document and communicate findings.

Strong interpersonal skills and ability to work across business, technology, and risk stakeholders. Ability to manage multiple priorities and coordinate activities effectively. Demonstrated attention to detail and professional skepticism.

Must Have Skills: Controls Testing: Security Control Testing and Validation Experience performing control testing, reviews, or self assessments against defined standards, procedures, or frameworks. Familiarity with Security and Control Frameworks Working knowledge of common frameworks such as NIST CSF, ISO 27001, CIS Controls, or SOC aligned controls. Documentation and Evidence Collection Ability to gather, review, and clearly document evidence supporting control design and operating effectiveness Attention to Detail and Consistency Strong focus on accuracy, repeatability, and completeness when executing testing procedures and documenting results.

Collaboration and Coachability Ability to work effectively with senior risk, compliance, and technology team members, take direction well, and continuously improve testing quality. Education and Certifications: 4 Year/ bachelors degree required. Preferred certifications: CISA, CISM, CISSP Work location: Bengaluru