Job Description

The Impact You Will Have in This Role

The Senior Data Protection Analyst plays a critical role in ensuring the governance, measurement, and defensibility of DTCC's Data Protection Program. This role sits within the first line of defense, ensuring that management reporting, audit evidence, and risk narratives accurately reflect how data protection controls operate in practice.

While this role does not configure technical tools, it requires a strong working understanding of technical data protection controls, enabling the analyst to confidently articulate control intent, coverage, limitations, and effectiveness to internal stakeholders, auditors, and regulators.

The Senior Analyst partners closely with Data Protection Engineering and Operations, as well as second-line Risk Management and Internal Audit, to ensure the data protection program remains transparent, consistent, and regulator-ready as it scales across DLP, DSPM, CASB, and AI-driven data protection capabilities.

Your Primary Responsibilities:

Data Protection Program Governance

• Own day-to-day governance activities for the Data Protection Program, ensuring alignment with DTCC control standards, regulatory expectations, and enterprise risk frameworks.
• Maintain authoritative program artifacts, including:
  • Control inventories and control mappings
  • Operating procedures and governance documentation
  • Centralized repositories for evidence and program records
• Manage policy review cycles, control attestations, and exception tracking related to data protection obligations.

Operational Procedures & Runbooks

• Develop, maintain, and govern standard operating procedures (SOPs) and runbooks supporting data protection activities, including:
  • Alert triage and escalation
  • Exception handling and approvals
  • Remediation tracking and validation
• Ensure procedures are current, consistently applied, and aligned with how controls operate in production.
• Coordinate updates following control changes, incidents, or audit findings.

Exception & Issue Management

• Own centralized tracking of data protection exceptions, issues, and management actions arising from:
  • Operational constraints
  • Business requests
  • Audit or regulatory findings
• Manage exception intake, documentation, approvals, and periodic review to ensure items remain time-bound and risk-appropriate.
• Validate remediation actions with Engineering and Operations teams and track issues through closure.

Audit & Evidence Pack Development

• Serve as a primary first-line coordinator for data protection-related audits and reviews.
• Develop and maintain audit-ready evidence packs, including:
  • Control design descriptions
  • Operating procedures
  • Metrics and effectiveness evidence
  • Exception and remediation records
• Ensure evidence is complete, consistent, version-controlled, and defensible.

Metrics, Reporting & Risk Articulation

• Own production of operational, management-level, and executive-level reporting on data protection effectiveness and risk posture.
• Translate technical control signals (e.g., detections, coverage, exceptions) into clear, decision-useful risk narratives.
• Ensure metrics are consistent, repeatable, and aligned to enterprise data risk reporting standards.

Audit, Risk & Regulatory Engagement

• Serve as a first-line point of contact for Internal Audit, second-line Risk, and regulatory examinations related to data protection.
• Coordinate collection, validation, and presentation of audit-quality evidence.
• Track audit issues, management actions, and remediation commitments through to closure.

Cross-Functional Coordination

• Act as a governance liaison across:
  • Data Protection Engineering & Operations (first line)
  • Data Risk Management and Technology Risk (second line)
  • Privacy, Legal, and Cyber Governance teams
• Ensure alignment between technical protection outcomes and broader enterprise data risk narratives

Program Maturity & Continuous Improvement

• Identify opportunities to strengthen governance processes, reporting quality, and evidence consistency.
• Support scaling of governance as new capabilities are introduced (e.g., expanded DSPM coverage, AI data controls).
• Contribute to improving regulator and auditor understanding of modern, data-centric protection models.

Technical Control Understanding & Oversight

• Maintain a strong working understanding of:
  • Data Loss Prevention (DLP) across email, endpoint, web, SaaS, and AI environments
  • Data classification and labeling models
  • Data Security Posture Management (DSPM)
  • CASB and AI proxy enforcement patterns
• Partner with Engineering and Operations teams to:
  • Understand control intent, dependencies, and limitations
  • Validate that reporting reflects real-world control behavior
  • Identify gaps between control design, deployment, and outcomes

Qualifications

• 5-8+ years of experience in cybersecurity governance, technology risk, compliance, audit support, or data protection programs within a regulated environment.
• Bachelor's degree preferred or equivalent practical experience

Talents Needed for Success

• Demonstrates a strong commitment to integrity, transparency, and accountability in all aspects of work.
• Proven ability to understand, govern, and effectively challenge technical security controls without serving in a direct hands-on engineering capacity.
• Strong analytical, documentation, and executive-level communication skills, with the ability to distill complex technical concepts into clear, decision-ready narratives.
• Experienced in engaging with Internal Audit, second-line risk functions, and/or regulatory stakeholders.
• Maintains current knowledge of data protection, security governance, and evolving risk and regulatory expectations.
• Builds and sustains trusted partnerships across engineering, risk, compliance, and governance teams.
• Communicates clearly and confidently with both technical and non-technical stakeholders.
• Contributes to a collaborative, high-trust working environment that encourages openness and shared responsibility.

The salary range is indicative for roles at the same level within DTCC across all US locations. Actual salary is determined based on the role, location, individual experience, skills, and other considerations.

Learn more about Clearance and Settlement by clicking here.

About the Team

Serves as a dedicated technology resource for advancing DTCC's business opportunities and providing industry thought leadership for leveraging new technology. The goal of this new department is to partner internally with IT, our business and regulatory divisions and externally with clients, regulators, and fintech vendors, to help build new platforms and business models to advance DTCC's mission to support the financial markets.