The Senior IT Control Assurance Analyst is responsible for establishing and maintaining the IT Control Assurance program which includes policies, standards and procedures aimed to reduce operational IT risk. This position is aligned functionally within the IT organization and is responsible for ensuring control activities are formally defined and aligned across IT disciplines. The position requires an ability to interpret control frameworks, IT technical procedures, and legal, compliance, and regulatory requirements to ensure IT activities meet intended objectives. Role includes guiding IT towards the remediation of gaps and control deficiencies, where applicable. Position works closely with Risk and Governance teams for holistic control and reporting. The position assists in evaluating current and future IT tools and procedures for compliance and monitoring.
- Establish and maintain a Control Assurance framework that aligns the IT risks, controls, objectives, regulatory requirements, policies and control procedures.
- Work closely with IT control managers to establish, design and measure agreed upon key controls aligned with the firm’s risk profile.
- Assist in the development of new IT Control Assurance initiatives, including policies, processes and awareness programs.
- Apply control assurance processes to identify control deficiences, recommend solutions, validate remediation plans, and.
- Conduct IT Controls Assurance program activities to assess compliance with the firms’ policies, standards and procedures
- Participate in IT and firm-wide committees including Risk Focus Group, as needed.
- Support and develop metrics and measurement systems that identify control effectiveness and drive remediation.
- Recommend appropriate control analysis tools to support program objectives.
- Ensure existing and new policies and standards contain content that accurately reflect BBH's IT operating environment and that content is synchronized with other Firm policies and standards and regulatory requirements.
- Ensure changes to policies and standards are communicated to the relevant parties appropriately through department communication protocols or enhancements to firm wide training as needed.
- Apply knowledge of Industry or Regulatory Standards, including FFIEC, COBIT, ISO, SOC2, and NIST, as needed.
- Track, compile and review materials for external and internal IT audit/regulatory and compliance incidents
- Investigate and accurately record and report on the details of data privacy and fraud incidents; track remediation activity of same. Reporting includes the ability to inquire and communicate to varying audiences the discovery, triage, containment, scope, remediation and long-term prevention of events.
- Deliver and continue to enhance management level reports on the progress and state of IT Risk programs and initiatives.
- Become an expert user of the standard Archer toolset for maintaining, communicating and reporting on policies, standards and procedures.
- Bachelor’s degree or equivalent workexperience or specialized training required.
- 7-10 or more years of relevant IT workexperience preferably IT Governance, Risk and Compliance areas but may include Information Security, IT Enterprise Architecture, IT Vendor Assessment, Development, Production Assurance
- 5+ Experience in the financial services industry preferred
- Excellent interpersonal, communication ( oral and written), organizational, and decision-making skills
- Demonstrates integrity, good judgment, tact in communication and decision making
- Ability to appropriately balance firm IT risks with business impact & benefit
- Ability to recognize patterns in structure and unstructured data and to draw appropriate connections between seemingly disparate pieces of information ;
- Flexibility to adjust quickly to multiple demands, shifting priorities, ambiguity, and rapid change
- Must be able to work independently and with minimal direct supervision
- Strong problem solving and analytical skills.
- Ability to interact with all levels of management
- Excellent project management skills.
- Strong understanding of IT related Regulatory and Industry Best Practices and Standards including ITIL, FFIEC, COBIT, ISO, NIST, Privacy etc.
- Strong understanding of Systems Development Lifecycle Methodologies
- Ability to use standard desktop tools effectively, including Microsoft Office and Visio.
Other requirements (licenses, certifications, specialized training, physical or mental abilities required)
- Preferably holds one or more of the following or equivalent certifications: CISSP, CISM, CISA, CIA,CRISC, CGEIT CIAC, ISO
- Awareness or certification in use of GRC Tools such as Archer