Position directly reports to the Manager of IT Compliance within the Cyber & Information Security Office for IST. Responsible for conducting and coordinating organizational compliance efforts including internal and external audits and risk and vulnerability management activities. Consults on the development, implementation, and maintenance of IT compliance controls. Reviews existing IT compliance controls for regulatory updates, creates and maintains various internal and external audit and compliance schedules for information technology and security services. Interprets audit results and makes determinations on the adequacy and reliability of controls. Recommends and facilitates remediation efforts from development through implementation. Prepares and presents reports, as necessary. Performs duties in a safe, efficient manner and in compliance with all applicable rules and safety procedures.
- Provides IT management and key stakeholders with guidance on managing risk, particularly on infrastructure security.
- Reviews IT risk assessments and control design to ensure appropriateness of effect and control effectiveness.
- Participates in annual risk assessment as required.
- Develops & evaluates IT self-assessment/compliance programs to foster improved compliance
- Assists IT with maintaining compliance with various regulatory requirements including NIST, HIPPA, ISO and PII.
- Completes annual SOC II analysis of key reports for IT vendors.
- Coordinates annual disaster recovery, business continuance, and penetration testing.
- Conducts internal IT self-assessments and works closely with internal/external auditors regarding IT security audits and/or assessments (e.g. network, operating system and datacenter), including identifying, evaluating and mitigating vulnerabilities.
- Responsible for coordinating and scheduling internal audits, as required by the independent assessor.
- Determines the objectives and scope of the proposed internal audit and compliance efforts and annual schedule to management review.
- Assists in the analysis, design, development, testing, documentation and implementation of information and cybersecurity solutions, security policies, standards, guidelines and procedures to ensure ongoing maintenance of security.
- Monitors, researches, analyzes, and interprets applicable regulations to determine applicability and risks to IT operations.
- Identifies and communicates recommended/required security controls and documents and monitors control implementation.
- Responsible for tracking audit and compliance remediation efforts and escalation of issues not properly addressed.
- Assist in the development of new, and updates existing information security policies, standards, guidelines and procedures based on industry best practices and regulatory requirements.
- Conduct annual security policies, standard, guidance, and procedural reviews, as required by the controls framework.
- Responsible for developing and maintaining broad knowledge of information security best practices and trends.
- Drive compliance efforts within IT and supporting 3rd parties. (Vendor management)
- Promotes safety awareness and follows safety procedures in an effort to reduce or eliminate compliance non-conformities and accidents.
- Performs other job-related duties as assigned.
Experience and Qualifications Required:
- Solid practical and application knowledge of a broad range of standards and frameworks — for example, NIST Cybersecurity Framework, International Standards Organization (ISO) 27001, IT Infrastructure Library and ISO 20000, Capability Maturity Model Integration and Six Sigma, etc. and relation application or controls.
- Knowledge of common risk management methodologies — for example, Control Objectives for Information and Related Technology and Committee of Sponsoring Organizations Enterprise Risk Management.
- Industry-related audit, compliance, information security or business continuity management certification is preferred.
- Experience with development and/or maintaining risk and controls programs in complex IT environments.
- Strong ability to think creatively when approaching issues.
- Strong critical thinking and problem-solving skills.
- Proven teaming skills to driven completion of organizational objectives
- Ability to set and manage priorities judiciously to meet tight deadlines.
- Ability to present ideas in business-friendly and user-friendly language.
- Exceptionally self-motivated, directed and detail oriented.
- Superior analytical, evaluative and problem-solving abilities.
- Excellent communicator, who understand the "art" of technical communications verses business, external or auditor communications.
- Strong level of experience using the MS suite of Products.
- Ability to establish credibility and working relationships with a wide range of corporate personnel, including operations, management, executive and legal staff as well as external personnel, including auditors and regulators.
- Bachelor's degree in Information Technology, Business, or related field.
- Minimum Seven (7) years' experience in an enterprise IT auditing environment or IT risk & compliance role.
- Experience performing and interacting with internal/external audit representatives and general security compliance.
- Knowledge of IT audit and compliance approaches.
- Familiarity with information security terminology and technologies.
- Certifications such as Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Comp TIA Security+ are preferred.