Information Risk & Compliance Analyst

The Analyst will be a key member contributing to the development and maintenance of information security policies, focusing on assessing and prioritizing risk across the organization, compliance with information security policies, and the development and reporting of information security metrics. The Analyst will perform risk assessments and control gap analysis against Information Security Policies and Risk Management Standards. The Information Risk and Compliance Analyst will create, organize and articulate summarized risk findings that are clear and actionable by business stakeholders, reduce risk by helping to prioritize and drive remediation efforts throughout the organization, and contribute to risk management, treatment, and reporting process efforts to protect data assets. The Analyst's role will help prepare for and facilitate assessments and examinations by qualified security assessors. The Analyst will perform third party supplier security assessments, as well as facilitate and coordinate responses for customer due diligence questionnaires.

‍

‍

• Perform  information security risk assessments and risk management activities across  the organization.  Establish and  maintain risk criteria, identify, analyze, and evaluate information security  risks.  Ensure that repeated information  security risk assessments produce consistent valid and comparable  results.  Maintain repository of  documented information about the information security risk assessment  process.  Conduct risk and  vulnerability assessments of planned and installed information systems to  identify vulnerabilities and risks.
• Perform  selection of appropriate information security risk treatment options as a  result of risk assessment results, determine all controls that are necessary  to implement the information security risk treatment options, compare  controls and verify that no necessary controls have been omitted, obtain risk  owner's approval of the risk treatment plan and acceptance of residual  information security risks.
• Perform  information security, governance, risk and compliance assessment reports on  third party suppliers to ensure supply chain risk is managed throughout the  supplier's lifecycle.  Produce final  reports of pros and cons, observations of anomalies, and deliverables for the  business as well as mandates for supplier compliance.   Articulate results of the final  assessments to business stakeholders, project sponsors, program managers, and  other internal parties.  Assist with  review of information security sections within supplier contracts to ensure  security and data privacy requirements are in place.  
• Assist with  the evaluation of the effectiveness of information security management and  performance by developing, monitoring, gathering and analyzing information  security and compliance metrics for management.  Develop and implement a risk reporting  framework for management teams and governance committees.
• Design and  document IT general controls to ensure the business demonstrates compliance  with its regulatory or compliance obligations. Facilitate and coordinate  activities and responses related to internal and external controls testing  including entitlement reviews.   Facilitate the remediation of control gaps and escalate critical  issues to management.  Work closely  with control owners, internal and external auditors to ensure requests are  completed for timely delivery to audit.   Assist with third party audits and certifications for the organization  (i.e. SOC, ISO, PCI, etc.)
• Assist with  responding to customer information security requirements and due diligence  questionnaires.  Coordinate and  facilitate response gathering in conjunction with other organizational  application, support, infrastructure, legal, HR, and physical security teams  as necessary.  Ensure responses are  accurate, valid, consistent and reported within expected deadlines.  Maintain repository of customer information  security requirements, track and report on compliance.
• Analyze and  evaluate information security incidents in order to reduce the likelihood or  impact of future incidents.  Facilitate  reports of security violations by documenting and coordinating remediation  and awareness of violations to respective managers.   Maintain repository of information  security incidents and develop metrics for reporting to management.
• Research,  recommend, and contribute to information security polices, standards, and  procedures and work with other organizational participants from legal, human  resources, information technology, compliance, physical security, the  business units and others that have to implement the policies.  Assist the lifecycle management of  information security's policy and supporting documents.

‍

• Experience  with risk assessments and compliance of major regulatory initiatives (e.g.  SOX, PCI-DSS, HIPAA, FedRAMP)
• Experience  with cyber security and information security program management and  frameworks (e.g. NIST CSF, ISO/IEC 27000, etc.)
• Exposure to  and familiarity with relevant standards such as ISO/IEC 27000 family -  Information Security Management Systems, NIST Cybersecurity Framework, NIST  800, and applicable laws related to regulatory compliance, information  security and privacy (e.g. SOX, HIPAA, GDPR, PCI-DSS)
• Knowledge of  information security risk management and IT controls frameworks and  methodologies (e.g. ISO/IEC 27005, COBIT, OCTAVE)
• Knowledge of  Risk Management Principles (risk avoidance, transfer, mitigation,  acceptance), Risk Assessment process
• Knowledge of  Cloud Security - Cloud Control Matrix (CCM), Consensus Assessment  Questionnaire (CAIQ)
• Knowledge of  Common Controls Hub - Unified Compliance Framework (UCF)
• Knowledge of  Standardized Information Gathering (SIG) Questionnaire
• Knowledge of  AICPA SOC for Service Organizations

‍

‍