Risk and Compliance Analyst II

About The Position

Requirements

• Bachelor's degree preferred, or comparable experience of 5+ years of combined experience in information security, GRC, BCP/DR, or risk management with at least 3 years of experience developing and implementing governance, risk, or compliance programs
• High school diploma or GED required
• Certified Information Security Auditor (CISA), Certified in Risk and Information Systems Controls (CRISC), or other relevant training and certifications are highly recommended
• Excellent attention to detail, critical thinking, and analytical skills
• Ability to work proactively and efficiently in a fast-paced environment, interacting professionally with others
• Dedicated to excellent customer service
• Ability to communicate effectively, verbally and in writing
• Ability to follow directions and collaborate effectively with a team
• Understanding of project management principals and methodologies

Nice To Haves

• Proficiency with Microsoft Office Word, Excel, and PowerPoint
• Proficiency with Governance, Risk, and Compliance (GRC) tools (i.e., RSA Archer, LogicManager, KnowBe4 Compliance Manager)
• Proficiency with vendor risk tools (e.g., Third Party Trust, Argos Risk, BitSight, RiskRecon)
• Familiarity with Microsoft 365 (e.g., Microsoft SharePoint, Teams, and OneDrive) and document management systems
• Familiarity with project management and agile collaboration tools

Responsibilities

• Maintain a balanced risk management and compliance control framework, working with key stakeholders in alignment with Firm and client standards
• Review Firm policies, procedures, and standards, partnering with Human Resources and other stakeholders to ensure compliance with client outside counsel guidelines
• Facilitate and document client security assessments and other client requests, including internal and client communications, meetings, deadlines, research, responses, and remediation requests
• Analyze client security assessment results and recommend improvements to business processes, administrative, and technical controls
• Collect vendor information from vendor owners, research tools, and public resources, ensuring the vendor database is up-to-date
• Maintain vendor management tools used to track the vendor management lifecycle, security risk assessments, business risk assessments, and contract reviews
• Conduct security and business risk assessments of third party vendors, tracking remediation requests in accordance with the vendor risk program and policies
• Review contracts for low risk third party vendors in accordance with the vendor management program, partnering with vendor owners and contract review attorneys
• Review and develop scenarios for the Firm’s risk register
• Partner with appropriate business units to ensure appropriate operational, technical, and data privacy controls are implemented and enforced
• Document internal controls and map to Firm and client compliance standards (e.g., ISO 27001, SOC 2, NIST, Center for Internet Security Top 18)
• Analyze compliance gaps and recommend improvements to business processes, administrative, and technical controls
• Respond to Data Subject Request (DSR) inquiries related to GDPR, CCPA, or other privacy laws
• Document, investigate, and report compliance issues and incidents, where necessary
• Collect, analyze, and prepare reports required for senior management, auditors, and other relevant stakeholders
• Assist with the outside counsel guideline review process (e.g., drafting responses, tracking deadlines, liaise with risk partners for review and approval)
• Assist with the audit letter review process (e.g., drafting letters, tracking deadlines, liaise with the Audit Committee for review and approval)
• Other duties as assigned

Benefits

• Competitive pay
• Comprehensive benefits package
• Opportunity to make an impact in today’s world