Security Operations Analyst II – Third Party Risk Management Operations Center

Posted 6 Hours Ago
Be an Early Applicant
Gurgaon, Gurugram, Haryana, IND
Hybrid
Mid level
AdTech • eCommerce • Information Technology • Travel • Generative AI
Powering global travel for everyone, everywhere.
The Role
Support end-to-end third party security assessments and ongoing monitoring: collect and review vendor evidence, evaluate controls against standards, manage TPRM workflows in ticketing platforms, coordinate remediation with internal teams and vendors, document audit-ready findings, and drive process and tooling improvements for vendor risk management.
Summary Generated by Built In

At Expedia Group, we help travelers explore the world, one journey at a time. As a global travel company powered by passionate people, trusted partnerships, and leading technology, we connect travelers, partners, and advertisers through our consumer brands, B2B network, and travel advertising business.


Here, you'll do meaningful work that helps millions of people discover, book, and experience travel with more ease, confidence, and joy. Our five Behaviors-Traveler First, Think Big, Operate with Excellence, Ownership Mindset, and Succeed Together-help foster a supportive environment where people can grow their careers and have the flexibility, benefits, and support to do their best work. Join us and build for travelers everywhere.

About the Team:

The Expedia Group Security Governance, Risk, Compliance and Privacy (GRCP) organization is building a world‑class Third Party Risk Management (TPRM) Operations Center to support global supplier security and compliance operations.

We are seeking a highly organized and detail‑oriented Security Operations Analyst to support end‑to‑end third party security due diligence, ongoing monitoring, evidence collection, control assessment, documentation, and coordination activities across Expedia Group’s vendor ecosystem.

This role is ideal for someone who thrives in a fast‑paced environment, has strong operational discipline, and enjoys working across technical, legal, procurement, and business teams to help manage security and compliance risk from third parties.

As part of the India‑based TPRM Operations Center, you will play a key role in how we execute day‑to‑day third party risk operations and respond to customer, regulatory, and internal stakeholder expectations.

 

In this role, you will:

  • Support end‑to‑end third party security assessments for new and existing vendors, including scoping, initiating assessments, collecting documentation, and tracking to closure.

  • Review and analyze vendor security evidence (e.g., SOC 2 reports, ISO 27001 certificates, penetration test reports, security policies, questionnaires such as CAIQ/VSAQ/SIG) to identify control coverage, gaps, and issues.

  • Perform structured security and risk evaluations against Expedia Group TPRM standards and industry frameworks (e.g., ISO 27001, SOC 2, NIST CSF, PCI DSS, privacy requirements) and document clear, defensible conclusions.

  • Create and manage TPRM tickets and workflows (e.g., in Jira or a third party risk platform), ensuring assessments, findings, and remediation items are logged, updated, and closed within defined SLAs.

  • Coordinate with internal stakeholders (Security, Privacy, Legal, Procurement, Engineering, Product, Business Owners) to obtain required information, clarify use cases, and agree on risk treatment decisions.

  • Engage directly with vendors to clarify questionnaire responses, request additional evidence, explain control expectations, and follow up on remediation or risk treatment actions.

  • Document assessment results including risk ratings, control gaps, compensating controls, and recommended actions in a consistent and audit‑ready manner.

  • Support ongoing monitoring activities, including periodic reassessments, trigger‑based reviews (e.g., incidents, scope changes), certificate and report renewals, and continuous control monitoring where available.

  • Maintain organized repositories of TPRM evidence and artifacts to support repeatable processes, customer due diligence responses, and regulatory examinations.

  • Track and report status of third party assessments, issues, and remediation progress, highlighting risks, blockers, and trends to TPRM and GRCP leadership.

  • Contribute to process and tooling improvements for TPRM workflows, templates, questionnaires, and metrics to drive efficiency, consistency, and better risk decisions.

  • Support broader GRCP initiatives as needed, such as control mapping, new regulatory requirements impacting vendors, or integration of TPRM with other security and compliance programs.

 

Experience and Preferred Qualifications:
 

Minimum Qualifications:

  • Bachelor’s degree in Computer Science, Information Security, Engineering, or a related technical field; or equivalent practical experience in security operations or incident response.

  • 3–5 years of experience in third party risk management, security GRC, IT audit, vendor risk, or related technology risk/compliance roles

  • Experience supporting vendor due diligence or security assessments, including reviewing security documentation such as SOC 2, ISO 27001, penetration test reports, or security policies/standards.

  • Familiarity with common security and risk frameworks such as ISO 27001, SOC 2, NIST CSF, PCI DSS, and/or privacy requirements (e.g., GDPR, CCPA) and how they apply to third party environments.

  • Understanding of core information security concepts (e.g., access control, encryption, logging/monitoring, network security, vulnerability management, incident response) and ability to relate them to vendor controls.

  • Comfortable working in workflow and ticketing systems (e.g., Jira, ServiceNow) and ideally exposure to third party risk platforms (e.g., Archer, OneTrust, ServiceNow VRM, or similar).

Preferred Qualifications:

  • Experience handling complex, multi-stage security incidents in large-scale, distributed, or cloud-based environments, including root cause analysis and post-incident reviews.

  • Information security, audit, or risk certifications are a plus (e.g., CISA, CRISC, Security+, ISO 27001 Associate, CTPRP/CTPRP‑like third party risk certifications).

  • Proven track record of improving SOC effectiveness through detection engineering, runbook optimization, automation, or tuning of security tools to enhance signal quality and response speed.

  • Experience using data-driven approaches to identify security trends, measure operational performance, and prioritize improvements to controls, detections, and processes.

  • Background in integrating or supporting AI/ML-enabled security capabilities (for example behavior analytics, anomaly detection, or automated response) and safely operating these solutions in production.

  • Experience providing technical input into the design or improvement of security architectures, controls, and monitoring for new or existing services, working closely with engineering and platform teams to embed security by design.

Accommodation requests

Expedia Group is committed to providing an inclusive and accessible recruiting experience. If you need an accommodation or adjustment due to a disability during the application or recruiting process, please submit a request at https://expedia.service-now.com/askeg?id=job_accommodation.


About Expedia Group

Expedia Group includes three flagship consumer brands - Expedia, Hotels.com, and Vrbo - along with a leading B2B travel business and travel advertising offerings. Across our brands and business, we help travelers explore the world with confidence and ease.


Important notice

Employment opportunities and job offers at Expedia Group will always come from Expedia Group's Talent Acquisition and hiring teams. Never share sensitive personal information unless you are confident of the recipient. Expedia Group does not extend job offers via email or messaging tools to individuals with whom we have not made prior contact. Our email domain is @expediagroup.com. The official place to find and apply for roles is https://careers.expediagroup.com/jobs/.


Equal Opportunity

Expedia is committed to creating an inclusive work environment with a diverse workforce. All qualified applicants will receive consideration for employment without regard to race, religion, gender, sexual orientation, national origin, disability or age.

Skills Required

  • Bachelor's degree in Computer Science, Information Security, Engineering, or related technical field, or equivalent practical experience
  • 3-5 years experience in third party risk management, security GRC, IT audit, vendor risk, or related technology risk/compliance roles
  • Experience supporting vendor due diligence and reviewing security documentation (SOC 2, ISO 27001, penetration test reports, security policies)
  • Familiarity with security and risk frameworks (ISO 27001, SOC 2, NIST CSF, PCI DSS) and privacy requirements (GDPR, CCPA)
  • Understanding of core information security concepts (access control, encryption, logging/monitoring, network security, vulnerability management, incident response)
  • Comfortable working in workflow and ticketing systems (e.g., Jira, ServiceNow)
  • Exposure to third party risk platforms (e.g., Archer, OneTrust, ServiceNow VRM) is desirable
  • Information security, audit, or risk certifications (CISA, CRISC, Security+, ISO 27001 Associate, CTPRP-like) are a plus
  • Experience handling complex, multi-stage security incidents, detection engineering, automation, or data-driven operational improvements
  • Background integrating or supporting AI/ML-enabled security capabilities and advising on security architecture and controls

Expedia Group Compensation & Benefits Highlights

  • Wellbeing & Lifestyle Benefits Travel and wellness reimbursements, employee travel discounts, and flexible stipends are presented as standout perks that add meaningful lifestyle value. Mental-health resources and pet support broaden the package beyond core pay.
  • Parental & Family Support Paid parental leave for all parents with additional time for birthing parents, plus adoption, surrogacy, and caregiver support, are highlighted as generous and accessible. Immediate eligibility for parental leave reinforces the family-friendly design.
  • Healthcare Strength Medical, dental, and vision coverage is paired with inclusive healthcare extending to partners and covering fertility and transgender services. Access to mental-health platforms complements the core medical offering.

Expedia Group Insights

Am I A Good Fit?
beta
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.

The Company
HQ: Seattle, WA
16,000 Employees
Year Founded: 1996

What We Do

Expedia Group powers travel for everyone, everywhere through our global platform. Driven by the core belief that travel is a force for good, we help people experience the world in new ways and build lasting connections. We provide industry-leading technology solutions to fuel partner growth and success, while facilitating memorable experiences for travelers. Expedia Group's family of brands includes: Brand Expedia®, Hotels.com®, Expedia® Partner Solutions, Vrbo®, trivago®, Orbitz®, Travelocity®, Hotwire®, Wotif®, ebookers®, CheapTickets®, Expedia Group™ Media Solutions, Expedia Local Expert®, CarRentals.com™, and Expedia Cruises™.

Why Work With Us

As travelers and technologists, we are passionate about making travel more seamless, accessible and memorable. We embrace different perspectives, celebrate new ideas, and empower every Expedian to drive meaningful change. The experiences we create bridge divides and broaden horizons – helping create unforgettable memories through travel.

Gallery

Gallery

Expedia Group Offices

Hybrid Workspace

Employees engage in a combination of remote and on-site work.

Typical time on-site: 3 days a week
HQSeattle, WA
JP
VE
HK
MY
Amsterdam, NL
Antalya, TR
Athens, GR
Auckland, NZ
Austin, Texas
Bangkok, TH
Barcelona, ES
Beijing, CN
Bengaluru, Karnataka
Berlin, DE
Bothell, US
Brisbane, AU
Brussels, BE
Chicago, US
Cologne, DE
Copenhagen, DK
Dallas, US
Denpasar, ID
Dubai, AE
Dublin, IE
Edinburgh, GB
Fort Lauderdale, US
Geneva, CH
Gurugram, Haryana
Gurugram, IN
Hanyang, KR
Ho Chi Minh, VN
Issaquah, US
İstanbul, TR
Johannesburg, ZA
Kailua-Kona, US
Kilkattalai, JO
Lahaina, US
Lisbon, PT
London, GB
Lyon, FR
Madrid, ES
Manila, PH
Marseille, FR
Melbourne, AU
Miami, US
Milan, IT
Mohokare, ZA
Montréal, CA
Munich, GD
Paris, FR
Poipu, US
Praha, CZ
Rome, IT
San Francisco, California
San Leonardo, PH
Sham Chun Hu, CN
Shanghai, CN
Singapore, SG
Springfield, US
Stockholm, SE
Sydney, AU
Taipei City, TW
Tokyo, JP
Toronto, CA
Wrocław, PL
Learn more

Similar Jobs

Expedia Group Logo Expedia Group

Security Engineer

AdTech • eCommerce • Information Technology • Travel • Generative AI
Hybrid
Gurgaon, Gurugram, Haryana, IND
16000 Employees

Expedia Group Logo Expedia Group

Development Engineer

AdTech • eCommerce • Information Technology • Travel • Generative AI
Hybrid
Gurgaon, Gurugram, Haryana, IND
16000 Employees

Expedia Group Logo Expedia Group

Learning and Development Trainer

AdTech • eCommerce • Information Technology • Travel • Generative AI
Hybrid
Gurugram, Haryana, IND
16000 Employees

Expedia Group Logo Expedia Group

Technical Support

AdTech • eCommerce • Information Technology • Travel • Generative AI
Hybrid
Gurugram, Haryana, IND
16000 Employees

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account