GRC InfoSec Risk Analyst

Job Description

GENERAL DESCRIPTION:

The governance, risk, and compliance (GRC) InfoSec Risk analyst is responsible for supporting the security direction of the business and elevating the company’s security posture. The GRC InfoSec Risk analyst is expected to support the security strategy of the business with new and existing information system capabilities. Consequently, the position requires both an understanding of legacy systems, as well as new technologies and requirements. The GRC InfoSec Risk analyst is also responsible for the analysis and implementation of policies and maintenance. The ideal candidate is technical and possesses at least five years of experience in IT security, compliance, or risk management. In tandem with IT and security leadership, the GRC InfoSec Risk analyst consistently assesses and validates the assurance of the security program. As a primary point of contact for internal and external auditors, the GRC InfoSec Risk analyst monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the IT GRC team, the GRC security analyst must focus on strong risk management and corporate resiliency, and not be driven solely by compliance. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business critical.

TASKS, DUTIES, FUNCTIONS:

1. Conduct enterprise-wide, ongoing risk analysis in tandem with compliance and security.

2. Maintain oversight in a GRC-related platform.

3. Identify strengths and weaknesses in the GRC program as they relate to privacy, security, business resiliency and compliance frameworks.

4. Document, formulate and enforce areas of security improvement that balance risk with business operations and do not diminish efficiencies or innovation.

5. Maintain strong oversight of third parties, vendors and business partners to safeguard against undue risk presented by external entities. Escalate to GRC management and business unit leads when points of weakness are discovered.

6. Analyze findings, and document, recommend and report program gaps to GRC leadership.

7. Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Apply GRC expertise across key lines of business, including products, practices and procedures.

8. Define qualitative and quantitative metrics to assess the success of the GRC program and provide regular reports to GRC, Security, and business leadership.

9. Ensure security and technology teams maintain up-to-date configuration documentation for systems and processes. Maintain rigorous oversight of security systems and security configuration administration to reduce risk to enterprise systems and accounts.

10. Act as a key participant in incident response to track occurrence and resolution, with strict documentation and reporting.

11. Work in tandem with security, audit and risk management leadership to perform ongoing security program assessments and create annual strategic technology and budgetary directives.

12. Attend and fully engage in change and project management meetings.

13. Liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws.

14. Act as a point of contact for disaster recovery and business continuity as it relates to security frameworks, compliance and privacy laws.

15. Perform other duties as assigned.

PHYSICAL SKILLS, ABILITIES, AND EXERTION UTILIZED IN THE PERFORMANCE OF THESE TASK:

1. At least five plus years’ experience in cybersecurity as a practitioner and with at least two to three plus years exposure with various security frameworks.

2. Strong business acumen and security technology skills for well-rounded proficiency, as well as proven ability to align with security practices and compliance responsibilities.

3. Experience and understanding of various regulatory requirements and laws, including but not limited to PCI, SOX, HIPAA, GDPR and GLBA. Additional experience in one or more of the following: ISO 27001/2, ITIL or NIST.

4. Exceptional written and verbal communication skills, and proven ability to translate security and risk to all levels of the business.

5. Capacity to understand legacy and progressive technology and security controls along with respective risk. Working knowledge of technologies such as cloud computing, DevOps and application security is required.

6. Up-to-date understanding of a wide range of incident response, system configuration, vulnerability management and hardening guidelines.

7. Track record of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating effectively.

8. Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls.

9. Prior team leadership experience preferred.

10. Must be self-directed, able to work on own initiative.

11. Ability to work under pressure and tight deadlines; may be required to work extended hours to complete tasks.

ORGANIZATIONAL CONTACTS & RELATIONSHIPS:

1. INTERNAL: All levels of staff and management, including Senior Management.

2. EXTERNAL: Members, vendors, suppliers, government agencies, credit union industry associations and peers at other financial institutions.

QUALIFICATIONS:

1. EDUCATION: Bachelor’s degree in business administration, Accounting, Management Information Systems or Computer Science is strongly preferred. An Advanced Degree in Business Administration or other related area is preferred.

2. EXPERIENCE: Minimum five years’ experience in cybersecurity as a practitioner and with at least two to three plus years exposure with various security frameworks, experience in a technology risk, security, or compliance role preferably in a financial institution. Detailed understanding of risk management and controls assurance. Strong understanding of information security controls and standards such as ISO 27001/2, NIST, CSF, and related frameworks. Thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, HITRUST, GDPR and GLBA. Experience in a role balanced between business stakeholders and a central technology service organization. Certifications, such as CISSP, CRISC, CISA, CIPP, CISM, are well regarded.

3. KNOWLEDGE / SKILLS:

• Must have strong written skills, communication skills, and possess the ability to build trust and relationships with senior executives. This diversified position requires a strong ability to multitask.
• Strong analytical, problem solving, and decision-making skills to effectively understand and resolve complex strategies and issues.
• Must have good interpersonal skills and the ability to interact with employees at all levels of responsibility within the organization.

PHYSICAL REQUIREMENTS:

1. Prolonged sitting throughout the workday with occasional mobility required.

2. Corrected vision within the normal range.

3. Hearing within normal range. A device to enhance hearing will be provided if needed.

4. Ability to lift 20 lbs. as may be required.

5. Occasional movements throughout the department daily to interact with staff, accomplish tasks, etc.

6. May require long work hours to accomplish tasks.

7. Occasional travel may be required locally, statewide, and throughout the United States to attend seminars and vendor group meetings. Overnight travel and evening schedules included.

8. Prolonged use of telephone to accomplish tasks. LICENSES / CERTIFICATIONS: Holds or is working toward one or more of the following: CISSP, CRISC, CGEIT or GRCP. Project Management Professional (PMP) and (PfMP) certifications from the Project Management Institute (PMI) or Certified Business Analyst Professional (CBAP) from the International Institute of Business Analysis (IIBA) preferable, but not required.