Overview
What this challenge is about.
Design a 3-tier TPRM framework (critical / important / low-risk) with explicit classification criteria (data type, integration depth, downtime impact, regulatory scope). For each tier, define the review depth: critical = full SIG-Lite + SOC 2 review + DPIA; important = SIG-Lite + SOC 2 confirmation; low-risk = self-attestation. Build the intake form (Notion / Vanta), a vendor-risk scoring rubric, and a renewal cadence per tier. Run the pilot on 12 vendors using their actual SOC 2 reports + DPAs. Deliver: program playbook (15 pages), tiered intake form template, pilot review of 12 vendors, top-5 vendor-risk summary for the board.
The Brief
What you'll do, and what you'll demonstrate.
Build a tiered TPRM program a 2-person security team can run, validated by a 12-vendor pilot.
Earning criteria — what you'll demonstrate
- Design a TPRM program tiered to fit a small security team's capacity
- Apply SIG-Lite + SOC 2 + DPA review to real vendors
- Score vendor risk consistently across reviewers
- Communicate concentration + key-vendor risk to a board audience
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Product Manager
PMs evaluating new vendor integrations need this lens to avoid shipping features that later need to be ripped out for compliance reasons.
This challenge sharpens
- third-party-risk
- risk-management
- compliance