The Risk Analyst, Assessments and Authorizations has global responsibility for driving IT Risk Management s part of the Corporate Information Security (CIS) Assessments and Authorizations (A&A) program.
The A&A team is responsible for evaluating IT security risk and ensuring compliance with corporate policies as well as external standards and regulations. The associate risk analyst will perform risk assessments, ongoing data gathering and analysis identifying and reporting, metrics, overall risk register/management as well as supporting ongoing CIS/IT and or business projects.
- Support A&A team operational activities by conducting risk assessments, performing required analysis and work with vendors, requestors and various internal teams.
- Maintain, and revise policies, processes and procedures for the general operation of the Assessments and Authorizations (A&A) Program.
- Work with PMO (and Change Management - CMDB) to develop clear processes that track all project certification activities, mitigation requirements / risk registers, Authorities to Operate (ATO’s) and execute accordingly.
- Support CIS/IT and or business projects as well as M&A activities for all facets of CIS risk management.
- Execute program based on NIST/ISO framework and industry best practices.
- Gather and store evidence in accordance with corporate standards to ensure programs can prove and track compliance.
- Work with compliance analysts to ensure compliance with internal corporate security policies, industry best practices, and several external regulations such as PCI, HIPAA, SOX, and FDA regulations.
- Collaborate with team to assist in developing and maintaining tools and processes for Governance, Risk & Compliance (GRC) program to help provide visibility into and across all systems, applications, and projects globally to aid in risk and compliance measurement across the organization.
- Collaborate with other departments (e.g., PMO, Internal Audit, HR, Legal, etc.) to direct risk and compliance issues to appropriate existing channels for investigation and resolution.
- Perform other duties as assigned.
- 4+ years of IT systems analysis, related security, audit, and technical work experience is highly preferred.
- Strong interpersonal, organizational, presentation, and excellent documentation skills are a must.
- Excellent customer service skills required.
- Excellent verbal and written communication skills and the ability to interact professionally with a diverse group, executives, managers, and subject matter experts.
Bonus Qualifications (not explicitly required):
- ISO 27001 knowledge and experience
- NIST 800-30 knowledge and experience
- CISSP, CISM or CISA certification
- Knowledge of risk and compliance and security requirements under NIST, ISO, PCI, SOx, HIPAA, Gramm–Leach–Bliley Act (GLBA), & General Data Privacy Regulations (GDRP)
Non-Negotiable Hiring Criteria:
- Strong attention to detail and organizational acumen
- Proven ability to handle conflict and adversity with confidence and integrity
- Willingness to become an expert in realm of risk management and information security
Bachelor’s degree in Computer Science, IT Information Systems, Security Compliance, Risk Management or Information Security & Assurance. Equivalent work experience acceptable. Relevant security certifications a plus.