Rutuja Tembhurne

Third-party risk analyst.

• Conducted comprehensive risk assessments for over 650+ vendors, including enterprise technologies, products, services, and operations, based on applicable framework requirements from ISO 27001, NIST, CIS, COSO, PCI DSS, GDPR, and HITRUST CSF, resulting in a 60% reduction in compliance risks.
• Conducted due diligence on vendors, evaluating financial stability, cybersecurity posture, and compliance with industry regulations.
• Evaluated the capabilities of renowned cloud service companies like AWS, Microsoft Azure and Google; evaluated SaaS platforms including Salesforce, Zoom and Slack; evaluated different types of software providers such as custom or commercial off-the-shelf options; assessed financial service provider(s), human resource and staffing agencies; marketing and advertising vendors; healthcare service providers; manufacturers; regulatory compliance vendors such as OneTrust, Fortinet.
• Prepared risk assessment reports based on the evidence collected such as ISO 27001 report, SOC2 report, vulnerability scan report, penetration testing report, security policy and business continuity and disaster recovery plan, etc. And presented findings to senior management, enabling informed decision on vendor selection.
• Documented key risks identified in a formal report, escalated high-risk findings as necessary to management, presented a detailed report to key technology and business process owners, and provided recommendations to mitigate risks.
• Engaged with stakeholders to ensure alignment on risk management objectives and vendor performance criteria.
• Coordinated periodic vendor audits and reviewed performance metrics, resulting in a 30% improvement in vendor accountability.
• Developed and maintained a third-party risk management framework aligned with regulatory standards and internal policies, improving risk visibility.

RFIs (Request for Information) handling and responding to security questionnaires.

• Managed and completed over 200+ customer RFIs, ensuring accurate and timely responses.
• Collaborated with internal teams to gather information and verify security controls.
• Developed standardized templates for common RFI responses, reducing response time by 40%.
• Ensured compliance with regulatory and contractual security requirements in all customer communications.

Privacy incidents handling and privacy impact assessments.

• Investigated and resolved privacy incidents resulting from human error or technical error within applications.
• Analyzed root cause, collaborated with cross functional teams (e.g., Legal, IT, customers).
• Conducted post-incident reviews to identify gaps and enhance internal controls, reducing the likelihood of repeating privacy incidents by 30%.
• Generated incident cards, detailed records of all incidents, actions taken, and lessons learned to support regulatory compliance.
• Conducted PIAs to identify and mitigate privacy risks for new projects and services.

Third-party risk analyst.

• Led multiple initiatives and complex projects of conducting third-party risk assessments using internal tools to execute against Google's internal security policy and compliance objectives.
• Led due diligence efforts for new vendors successfully in 12 Google product areas such as YouTube, Ads, Marketing, Photos, Display Ads, and Knowledge, etc., to automate and streamline the process.
• Created dashboards and metrics to analyze the progress and allow future improvement across all Security Working Groups.

Program manager.

• Triaged 28,000 launches into different product areas and ensured that they meet standards required for internal security review.
• Handled queue management for security and consultation bugs throughout all product areas in Google.
• Onboarded LFC Bug Triage program into the various product areas, making sure that the products which have no privacy impacts go through this program.
• Conducted Privacy Design Document audits in all privacy working groups across various product areas in Alphabet and Google.
• Advised on organizational and technical challenges related to privacy and data protection. Helped develop creative solutions to incorporate privacy into technological developments and everyday business.
• Streamlined processes across different privacy working groups to allow for future tooling automation and improvements.

• Experienced in conducting third-party risk assessments, identifying risks, and recommending risk mitigation controls.
• Managed regular review of company data security policies, standards, and procedures, and recommended improvements when necessary.
• Facilitated TPRM training and awareness initiatives across all business functions.
• Liaise with business stakeholders to review data handling practices through PIAs and ensure data is processed in accordance with the security standards.
• Reviewed documents such as Master Service Agreements (MSA), SLAs and responding to Request for Proposals (RFP).