Security Operations Analyst II - Third Party Risk Management Operations Center

About the role

The Expedia Group Security Governance, Risk, Compliance and Privacy (GRCP) organization is building a world‑class Third Party Risk Management (TPRM) Operations Center to support global supplier security and compliance operations. We are seeking a highly organized and detail‑oriented Security Operations Analyst to support end‑to‑end third party security due diligence, ongoing monitoring, evidence collection, control assessment, documentation, and coordination activities across Expedia Group's vendor ecosystem. This role is ideal for someone who thrives in a fast‑paced environment, has strong operational discipline, and enjoys working across technical, legal, procurement, and business teams to help manage security and compliance risk from third parties. As part of the India‑based TPRM Operations Center, you will play a key role in how we execute day‑to‑day third party risk operations and respond to customer, regulatory, and internal stakeholder expectations. In this role, you will: Support end‑to‑end third party security assessments for new and existing vendors, including scoping, initiating assessments, collecting documentation, and tracking to closure. Review and analyze vendor security evidence (e.g., SOC 2 reports, ISO 27001 certificates, penetration test reports, security policies, questionnaires such as CAIQ/VSAQ/SIG) to identify control coverage, gaps, and issues. Perform structured security and risk evaluations against Expedia Group TPRM standards and industry frameworks (e.g., ISO 27001, SOC 2, NIST CSF, PCI DSS, privacy requirements) and document clear, defensible conclusions. Create and manage TPRM tickets and workflows (e.g., in Jira or a third party risk platform), ensuring assessments, findings, and remediation items are logged, updated, and closed within defined SLAs. Coordinate with internal stakeholders (Security, Privacy, Legal, Procurement, Engineering, Product, Business Owners) to obtain required information, clarify use cases, and agree on risk treatment decisions. Engage directly with vendors to clarify questionnaire responses, request additional evidence, explain control expectations, and follow up on remediation or risk treatment actions. Document assessment results including risk ratings, control gaps, compensating controls, and recommended actions in a consistent and audit‑ready manner. Support ongoing monitoring activities, including periodic reassessments, trigger‑based reviews (e.g., incidents, scope changes), certificate and report renewals, and continuous control monitoring where available. Maintain organized repositories of TPRM evidence and artifacts to support repeatable processes, customer due diligence responses, and regulatory examinations. Track and report status of third party assessments, issues, and remediation progress, highlighting risks, blockers, and trends to TPRM and GRCP leadership. Contribute to process and tooling improvements for TPRM workflows, templates, questionnaires, and metrics to drive efficiency, consistency, and better risk decisions. Support broader GRCP initiatives as needed, such as control mapping, new regulatory requirements impacting vendors, or integration of TPRM with other security and compliance programs. Experience and Preferred Qualifications: