Analyst III, Information & Cyber Goverance, Risk & Compliance

General Communication   •  

Anchorage, AK

Industry: Telecommunications

  •  

5 - 7 years

Posted 35 days ago

The Analyst, Governance, Risk and Compliance Security (GRC) will eevelop and manage the third party risk management program with an emphasis on contract review and tracking along with assessing third party security documents. The Third Party Risk Management Program will involve developing third party relationships, documenting general information on the third party within the GRC application and building schedules for assessing said third parties.

Essential Duties of the Analyst, Governance, Risk and Compliance Security (GRC):

Policy & Procedure:

  • Develop and maintain Information security policies, procedures and standards.

  • Maintain a current knowledge of applicable laws, regulations and internal compliance policy and procedure.

  • Build and execute GRC programs.

  • Examine policies, procedures, and practices to ensure compliance with laws and regulations and implement any needed changes.

  • Develop departmental work instructions as well as training for auditing activities.

    Risk:

  • Management of securityrisk identification, mitigation and exception / acceptance processes.

  • Support the organization as subject matter expert in assessing risk both internally and externally.

  • Test to identify possible control weaknesses in departments and functions and other operational areas and recommend changes to minimize those weaknesses.

  • Draft recommendations to communicate control performance results and regulatory findings to management in an efficient, timely and concise manner.

  • Facilitate and ensure successful completion of various audits including but not limited to SOX, PCI, SSAE16, SOC2, etc.

    Security Compliance:

  • Support the organization as subject matter expert in security compliance assessments, auditing, testing and monitoring both internally and externally.

  • Assist project teams with implementation of security controls and compliance frameworks.

  • Monitors industry regulatory environment for impact on security programs and changes to security compliance standards.

  • Security Audit:

  • Assist in the development of securityaudit procedures

  • Support the organization as subject matter expert in compliance auditing, testing and monitoring both internally and externally.

  • Test to identify possible control weaknesses in departments and functions and other operational areas and recommend changes to minimize those weaknesses.

  • Draft recommendations to communicate control performance results and regulatory findings to management in an efficient, timely and concise manner.

  • Facilitate and ensure successful completion of various audits including but not limited to SOX, PCI, SSAE16, SOC2, etc.

  • Audit and assess third-party vendor risk.

    Administration & Operations:

  • Support security compliance initiatives and assessments including responses to client security organization audits, questionnaires.

  • User administration of roles and permissions pertaining to the compliance and risk system.

  • Provide systems administration training to end users.

  • Prepare analysis of cross functional risk data to identify trends.

  • Prepare reporting packages and highlight potential risks for review.

  • Perform risk assessments and audits.

  • Prepare routine, special, or ad hoc reports. Identify metrics that fall outside of risk tolerances and escalate within department.

  • Work with department stake holders to implement changes and continually monitor risk controls that are put in place.

  • Develop actions plans from audits to mitigate risk potential within departments and throughout the organization.

  • Maintain dashboards, SLAs, KPIs relating to the health and operation of systems.

Knowledge, Skills, Abilities:

Technical Competencies:

  • Experience with the common regulatory controls, such as: ISO 27001, NIST 800-53, SOX, PCI, SSAE16, SOC I & 2, HIPPA / HITRUST, COSO, COBIT.

  • Experience with performing compliance and risk assessment audits.

  • Experience with GRC software preferred.

  • In-Depth understanding and working knowledge of information security data and processes.

  • Ability to work and coordinate with multi-team environment including program managers, business analyst, IT analyst and other security professionals.

    People, Team and Self:

  • Ability to develop and maintain productive relationships with peers and managers across the enterprise.

  • A strong customer/client focus, with the ability to manage expectations appropriately, to provide a superior customer/client experience and build long-term relationships.

  • Demonstrated ability to discuss complex technical details with extended support staff and translate into non-technical communication.

  • Strong analytical skills to analyze security requirements and relate them to appropriate security controls.

  • Ability to interact with GCI's personnel at all levels and across all business units and organizations, and to comprehend business imperatives.

  • Ability to work independently while handling multiple projects with changing priorities and deadlines.

  • Excellent verbal and written communication skills and the ability to interact professionally with a diverse group of executives, managers, and subject matter experts.

  • Excellent organizational, planning and time management skills

  • Ability and capability to work with only minimal supervision.

  • Strong written, verbal and presentation communication skills.

  • Ability to work flexible hours and some weekend work may be required

  • Ability to travel as needed.

Additional Job Requirements: This is an advanced level position and functions under minimal supervision.

  • Mentor and training Analysts I & II

  • Superior analytical and problem solutions skills.

  • Superiors written, verbal and presentation communication skills.

  • Demonstrated ability to lead GRC programs.

  • Strong leadership abilities, with the capability to develop a GRC team and guide team members and to work with only minimal supervision.

  • Leadership role in the development of GRC policies, procedures & standards.

  • Consult with external customers.

Physical Requirements:This position requires the ability to lift and carry up to 20 lbs. and physical effort that may include stooping, kneeling, touching, feeling, reaching, standing, walking, pushing, pulling, lifting, fingering, grasping, talking, hearing, and repetitive motions. In addition to working in cramped spaces and at heights. Hearing, vision, depth perception, and hand-to-eye coordination sufficient to perform job duties. Visual and auditory acuity necessary to operate equipment and identify color-coding. Ability to tolerate temperature and weather extremes (fumes and odors, dust, low light conditions.) Strength and coordination sufficient to perform job duties.

Working Conditions: The company and its subsidiaries operate in a 24/7 environment providing critical services to Alaskans and may need to respond to public health and safety matters or other business emergencies. Due to business needs employees may be contacted outside of the normal business hours to respond to the immediate emergency. As such, you will be requested to provide emergency after hours contact numbers, to include your home and cell phone numbers if you have those services. The majority of physical security work will be performed inside an office environment, Monday through Friday. Afterhours and outside work may be required on occasion as needed.

LH 9.2017

Minimum Qualifications:

  • Minimum of six (6) years’ experience in Information Security to include; minimum of four (4) years’ involving Information Security incident response duties.
  • Experience to include contract reviews, contract redlining, developing or responding to RFP’s and managing third party relationships is required; experience in assessing third parties, developing process documentation and building reporting metrics is preferred. Third party risk management experience is highly desirable.

  • Bachelor’s degree in computer science, technology, security or related field required. Relevant experience in compliance, risk assessment, third party risk management, policy development, security control development, securityauditing, information technology systems, security administration may be substituted on a year-for-year basis for the college degree.

  • Certifications: Three (3) of the following certifications are highly desired

    • GCPM: GIAC Certified Project Manager

    • CISA: Certified Information Security Auditor

    • CRISC: Certified in Risk and Information Systems Control

    • CISSP: Certified Information Systems Security Professional

    • CGEIT: Certified in the Governance of Enterprise IT

    • CISM: Certified Information Systems Manager

    • GSLC: GIAC Security Leadership

    • CSX Certificate, CSX Practitioner, or CSX Specialist

    • Other applicable IT, Information Security and Compliance related Certifications

  • Driving Requirements (if applicable): Must possess and maintain a valid driver’s license, proof of insurance and a satisfactory driving record.

19000181