Information Security GRC Analyst

About The Position

Requirements

• Minimum two years of relevant experience in the Information Security field with experience in the Governance, Risk, and Compliance disciplines.
• Working knowledge and understanding of information security control frameworks (e.g., CIS Critical Security Controls, ISO 27001, NIST SP800-453, COBIT, ITIL, OWASP, etc.), as well as regulatory requirements (e.g., SOX, SWIFT, PCI, HIPAA, GDPR, CCPA, etc.).
• Ability to implement automation and engineering solutions to improve GRC processes; experience or willingness to automate manual tasks and use engineering tools is preferred.
• Fundamental understanding of information risk concepts, risk assessments, and experience administering electronic Governance, Risk, and Compliance tools (e.g., OneTrust).
• Basic knowledge and understanding of IT General Controls and their application across information systems, infrastructure, applications, and cloud-based environments.
• Working knowledge and demonstrated experience working with and understanding information security controls attestation reports (e.g., SOC1, SOC2, ISO27001, PCI, etc.).
• 2+ years of experience performing information security risk assessments for IT vendors.
• 2+ years of experience communicating information security and controls conceptual and technical information to other IT professionals, business partners, IT Leadership, internal / external auditors, and vendors.
• 2+ years of experience examining information security controls attestation reports to determine effectiveness and impact to an organization and the controls relied upon from the vendors providing services to the organization.

Nice To Haves

• University degree in IT, Computer Science, Cybersecurity, or a related field.
• Governance, Risk, and Compliance related certifications such as CRISC and CGRC.
• Security+, CISA, or other relevant security related designation(s).
• Ability to determine the protection needs (i.e., security controls) of information systems, infrastructure, applications, and cloud-based environments.
• Knowledge of security management tools (e.g., vulnerability scanners, file integrity monitoring, configuration monitoring, etc.) and perimeter technologies (e.g., router, firewalls, web proxies and intrusion prevention, etc.).
• Knowledge of security principles, standards, and processes, such as authentication and access control, infrastructure hardening, network traffic analysis, endpoint security, platform architecture, application security, encryption and key management, cloud security, etc.).

Responsibilities

• Supports the key initiatives/projects focused on reducing technology risk, governance, compliance with policies and external regulatory compliance.
• Performs periodic security program gap assessments on an ongoing basis for all divisions.
• Responsible for SOX and security audit compliance activities; partners with IT staff and internal and external auditors in reviewing program activities; gathers information to support compliance efforts and requests from auditors; and provides updates to IT leadership as deemed necessary.
• Participates in addressing exception requests to information security policies and standards across all divisions; works with internal IT and business focal points to document the request, identify business justifications and compensating controls, and presents findings to IT Leadership for review and approval.
• Conducts information security vendor risk assessments and provides recommendations for system, network, and application design, implementation, and operational effectiveness controls.
• Works with IT teams to develop corrective action plans for identified findings from internal security controls assessments, vendor risk assessments, internal and external audits, or other security reviews; tracks remediation efforts to closure.
• Contribute to the creation, maintenance, and revision of information security policies and standards, and serve as an advisor to divisional security teams, supporting their understanding and implementation of these policies and standards.
• Serves as subject matter expert to internal business and technology teams and security teams on risk management activities and industry best practices.

Benefits

• Medical, vision & dental benefits upon hire
• 401K with company match
• Paid Time Off & Company Holidays
• Wellness Program
• Tuition reimbursement
• Employee pork purchase program