The Risk Analyst, IT Governance, Risk, & Compliance will assist in identifying, prioritizing and communication of organizational cyber and business-related risks. This position will assist in analyzing, identifying, documenting, and communicating qualitative and quantitative risk to the organization. The primary role will include monitoring and implementing security controls to ensure the organization maintains compliance with internal and external audit requirements across all departments. The role will require effectively problem solve and the ability to advise business leaders on prioritization of risk aligned with best practices and security frameworks.
- Risk Management
- Create assessment and track mitigation activities
- Identify current and future security vulnerabilities
- Recommend priorities for processes, solutions, and tools to reduce organizational risks
- Responsible for identifying, tracking, addressing, and reporting on all risk across the enterprise related to any aspect of the business relating to information
- Develops & manages all IT POAMs
- Risk Register -- Partner with business leaders to develop, document and maintain list of cyber and business-related risks
- Assessing Risk -- Document and measure qualitative and quantitative risks that align with organizational risk tolerance and priorities
- Regulatory Requirements -- Monitors new and proposed laws, regulations, industry standards, and ethical requirements related to Information Security and Policy including, but not limited to HIPAA, HITRUST, CCPA
- Control Frameworks -- Monitors new and proposed IT security frameworks including NIST CSF and ISO 27000, to align with recommended best practices
- Risk Management
- External Assessments -- Document and drive remediation for POAM's driven by external assessments,
- 3rd Party Assessment Program -- Support and execute the security & compliance assessment program on all 3rd parties utilized by the company to process or transit our data; this is an ongoing task that requires at least yearly reviews of all 3rd parties, and often requires reporting out to our customers.
- Security Awareness -- Supports ongoing security awareness program that covers all employees, but that is tailored to the risk profile of a given business unit or organization.
- Assists in creating desktop policies, processes, and procedures to support internal and external audit control testing, including but not limited to; HIPAA, SOX, CCPA.
- Support as needed to gather evidence related to IT General Controls
- IT Control Execution
- Control Alignment -- Optimize ITGC's testing and control execution to align across multiple frameworks
- Customer Audits -- Ensures all customer compliance commitments are met at all times, and supports interactions with customer audits of our Program
- Regulatory Compliance - Responsible to document, streamline, and mature IT General Controls to support compliance for HIPAA, SOX, & CCPA
- IT Audit Compliance - Support the timely execution of IT General Control testing activities as required
- Customer Compliance -- Tracks key customer compliance requirements & performs customer compliance activities, such as periodically updating specific customers on specific security and compliance program performance items per a given customer's request, to ensure always-on compliance with our customer requirements
- Customer Engagements -- Review all customer security & compliance questionnaires and other similar engagements to ensure they are answered accurately, completely, consistently, quickly, and commiserate with the scope of provided services
- Contracts -- Partner with legal & non-IT compliance teams to complete reviews & tracking for all security & compliance aspects of all contracts
- Policy Development -- Assess and maintain Security Policy to align with a globally-accepted best practice framework, such as NIST 800-53 or ISO 27000
- Training -- Ensures IT staff are adequately trained to understand the risks & controls for which they are responsible
- Reporting -- Periodically reports metrics related to IT risk management activities
- OKRs & KPIs -- Develops, monitors, regularly reports, and ensures adherence to OKRs & KPIs for IT risk management
- Bachelor's Degree in Computer Science, Computer Engineering, or Information Security / Cyber Security, or equivalentcombination of education, training, and experience
- ISC(2) CISSP certificate preferred
- ISACA CRISC certificate preferred
- ISACA CISM certificate a plus
Skills & Experience
- Minimum 3 years of experience in a full-time Information Security risk management role
- Risk Management - Deep expertise in identifying, documenting, and managing qualitative risk. Expertise in quantitative risk, particularly in the FAIR model, is a significant plus.
- Audit Management - Strong understanding of normalized audit processes / methods, goals, motivations, and desired outcomes
- Compliance - Expertise in regulatory requirements and industry standards such as HIPAA, HITRUST, SOX, SOC, NIST CSF, ISO 27000, & CCPA.
- Governance - Can communicate and align desired outcomes based on objective level of identified risks.