Expedia Group brands power global travel for everyone, everywhere. We design cutting-edge tech to make travel smoother and more memorable, and we create groundbreaking solutions for our partners. Our diverse, vibrant, and welcoming community is essential in driving our success.
Why Join Us?
To shape the future of travel, people must come first. Guided by our Values and Leadership Agreements, we foster an open culture where everyone belongs, differences are celebrated and know that when one of us wins, we all win.
We provide a full benefits package, including exciting travel perks, generous time-off, parental leave, a flexible work model (with some pretty cool offices), and career development resources, all to fuel our employees' passion for travel and ensure a rewarding career journey. We’re building a more open world. Join us.
About the Team:
The Expedia Group Security Governance, Risk, Compliance and Privacy (GRCP) organization is building a world‑class Third Party Risk Management (TPRM) Operations Center to support global supplier security and compliance operations.
We are seeking a highly organized and detail‑oriented Security Operations Analyst to support end‑to‑end third party security due diligence, ongoing monitoring, evidence collection, control assessment, documentation, and coordination activities across Expedia Group’s vendor ecosystem.
This role is ideal for someone who thrives in a fast‑paced environment, has strong operational discipline, and enjoys working across technical, legal, procurement, and business teams to help manage security and compliance risk from third parties.
As part of the India‑based TPRM Operations Center, you will play a key role in how we execute day‑to‑day third party risk operations and respond to customer, regulatory, and internal stakeholder expectations.
In this role, you will:
- Support end‑to‑end third party security assessments for new and existing vendors, including scoping, initiating assessments, collecting documentation, and tracking to closure.
- Review and analyze vendor security evidence (e.g., SOC 2 reports, ISO 27001 certificates, penetration test reports, security policies, questionnaires such as CAIQ/VSAQ/SIG) to identify control coverage, gaps, and issues.
- Perform structured security and risk evaluations against Expedia Group TPRM standards and industry frameworks (e.g., ISO 27001, SOC 2, NIST CSF, PCI DSS, privacy requirements) and document clear, defensible conclusions.
- Create and manage TPRM tickets and workflows (e.g., in Jira or a third party risk platform), ensuring assessments, findings, and remediation items are logged, updated, and closed within defined SLAs.
- Coordinate with internal stakeholders (Security, Privacy, Legal, Procurement, Engineering, Product, Business Owners) to obtain required information, clarify use cases, and agree on risk treatment decisions.
- Engage directly with vendors to clarify questionnaire responses, request additional evidence, explain control expectations, and follow up on remediation or risk treatment actions.
- Document assessment results including risk ratings, control gaps, compensating controls, and recommended actions in a consistent and audit‑ready manner.
- Support ongoing monitoring activities, including periodic reassessments, trigger‑based reviews (e.g., incidents, scope changes), certificate and report renewals, and continuous control monitoring where available.
- Maintain organized repositories of TPRM evidence and artifacts to support repeatable processes, customer due diligence responses, and regulatory examinations.
- Track and report status of third party assessments, issues, and remediation progress, highlighting risks, blockers, and trends to TPRM and GRCP leadership.
- Contribute to process and tooling improvements for TPRM workflows, templates, questionnaires, and metrics to drive efficiency, consistency, and better risk decisions.
- Support broader GRCP initiatives as needed, such as control mapping, new regulatory requirements impacting vendors, or integration of TPRM with other security and compliance programs.
Experience and Preferred Qualifications:
Minimum Qualifications:
- Bachelor’s degree in Computer Science, Information Security, Engineering, or a related technical field; or equivalent practical experience in security operations or incident response.
- 3–5 years of experience in third party risk management, security GRC, IT audit, vendor risk, or related technology risk/compliance roles
- Experience supporting vendor due diligence or security assessments, including reviewing security documentation such as SOC 2, ISO 27001, penetration test reports, or security policies/standards.
- Familiarity with common security and risk frameworks such as ISO 27001, SOC 2, NIST CSF, PCI DSS, and/or privacy requirements (e.g., GDPR, CCPA) and how they apply to third party environments.
- Understanding of core information security concepts (e.g., access control, encryption, logging/monitoring, network security, vulnerability management, incident response) and ability to relate them to vendor controls.
- Comfortable working in workflow and ticketing systems (e.g., Jira, ServiceNow) and ideally exposure to third party risk platforms (e.g., Archer, OneTrust, ServiceNow VRM, or similar).
Preferred Qualifications:
Experience handling complex, multi-stage security incidents in large-scale, distributed, or cloud-based environments, including root cause analysis and post-incident reviews.
Information security, audit, or risk certifications are a plus (e.g., CISA, CRISC, Security+, ISO 27001 Associate, CTPRP/CTPRP‑like third party risk certifications).
Proven track record of improving SOC effectiveness through detection engineering, runbook optimization, automation, or tuning of security tools to enhance signal quality and response speed.
Experience using data-driven approaches to identify security trends, measure operational performance, and prioritize improvements to controls, detections, and processes.
Background in integrating or supporting AI/ML-enabled security capabilities (for example behavior analytics, anomaly detection, or automated response) and safely operating these solutions in production.
Experience providing technical input into the design or improvement of security architectures, controls, and monitoring for new or existing services, working closely with engineering and platform teams to embed security by design.
Accommodation requests
If you need assistance with any part of the application or recruiting process due to a disability, or other physical or mental health conditions, please reach out to our Recruiting Accommodations Team through the Accommodation Request.
We are proud to be named as a Best Place to Work on Glassdoor in 2024 and be recognized for award-winning culture by organizations like Forbes, TIME, Disability:IN, and others.
Expedia Group's family of brands includes: Brand Expedia®, Hotels.com®, Expedia® Partner Solutions, Vrbo®, trivago®, Orbitz®, Travelocity®, Hotwire®, Wotif®, ebookers®, CheapTickets®, Expedia Group™ Media Solutions, Expedia Local Expert®, CarRentals.com™, and Expedia Cruises™. © 2024 Expedia, Inc. All rights reserved. Trademarks and logos are the property of their respective owners. CST: 2029030-50
Employment opportunities and job offers at Expedia Group will always come from Expedia Group’s Talent Acquisition and hiring teams. Never provide sensitive, personal information to someone unless you’re confident who the recipient is. Expedia Group does not extend job offers via email or any other messaging tools to individuals with whom we have not made prior contact. Our email domain is @expediagroup.com. The official website to find and apply for job openings at Expedia Group is careers.expediagroup.com/jobs.
Expedia is committed to creating an inclusive work environment with a diverse workforce. All qualified applicants will receive consideration for employment without regard to race, religion, gender, sexual orientation, national origin, disability or age.