Position SummaryThe Risk and Compliance Analyst will play a key role in supporting and executing the Firm's governance, risk and compliance (GRC) program. Reporting to the Compliance Manager, this role will independently manage components of the Firm's risk and compliance processes, including vendor risk management, client assessments, audit support, and policy governance. This position offers strong exposure to ISO 27001, client-facing security assessments, and enterprise risk management within a professional services environment.
Essential Duties and Responsibilities Typical responsibilities include, but are not limited to, the following:
- Support and help maintain the Firm's Information Security Management System (ISMS), including contributing to ISO 27001 compliance and annual recertification efforts.
- Manage day-to-day execution of the Firm's client security assessment process, including gathering documentation, tracking questionnaires, and coordinating responses with internal teams.
- Support third-party vendor risk assessments, including reviewing questionnaires, SOC reports, and supporting security documentation.
- Assist in conducting internal IT risk assessments by gathering information from business and IT stakeholders to identify risks, document findings, and support development of risk treatment plans.
- Support disaster recovery (DR) testing activities, including coordination, documentation, and tracking of results and action items.
- Execute user access recertification processes for standard and privileged accounts, including tracking completion and escalating issues as needed.
- Track and follow up on remediation efforts related to findings from client assessments, internal audits, penetration tests, and other security reviews.
- Support the ongoing use of tools supporting vendor risk management and compliance processes.
- Perform other duties as assigned.
Qualifications/Position Requirements- Familiarity with ISO 27001 framework, as well as NIST, SOC 2, or similar.
- Experience responding to client security questionnaires and conducting vendor risk assessments.
- Strong analytical, organizational, and time management skills with attention to detail.
- Proven ability to manage multiple priorities and projects simultaneously in a fast-paced environment while consistently meeting deadlines.
- Excellent verbal, written, and presentation skills, with the ability to communicate effectively with clients, leadership, and cross-functional teams.
- Strong interpersonal skills with ability to build relationships and interact with individuals at all organizational levels.
- Ability to work independently, exercise sound judgement, and take initiative while collaborating effectively across teams.
Education and/or Experience- Bachelor's degree required, preferably Business Systems, Information Systems.
- 3-5 years of experience in IT risk, compliance, audit, or information security.
- Previous experience in legal services preferred.
CompensationThe expected base salary for this position ranges from $100,000 - $125,000. Salary offers are based on a wide range of factors including relevant skills, training, experience, education, anticipated assignment, and, where applicable, licensure or certifications obtained. Market and organizational factors are also considered. Davis Polk offers a competitive salary and comprehensive benefits package.