Senior Technology Risk Analyst

About The Position

Requirements

• Bachelor’s degree in Computer Science, Engineering, Information Technology, Information Systems, Management Information Systems, Business Administration, or a closely related field (or foreign education equivalent) and three (3) years of experience as a Senior Technology Risk Analyst (or closely related occupation) performing Information Technology (IT) audits, risk assessments, and cybersecurity control review.
• Or, alternatively, Master’s degree in Computer Science, Engineering, Information Technology, Information Systems, Management Information Systems, Business Administration, or a closely related field (or foreign education equivalent) and one (1) year of experience as a Senior Technology Risk Analyst (or closely related occupation) performing Information Technology (IT) audits, risk assessments, and cybersecurity control review.
• Demonstrated Expertise (“DE”) performing and coordinating external audit engagements for a large distributed enterprise -- SOC 1, 2, and 3, controls attestation reports, financial audits, and ISO 27001 external IT audit programs; coordinating responses to auditor requests for information with internal IT organizations; maintaining in-scope IT General Control (ITGCs) and IT Application (ITAC) documentation and procedures; and providing recurring management status reporting.
• DE executing IT controls assurance programs by identifying and designing new controls, evaluating control procedures and evidence documentation, and conducting control assessments through formal design and operating effectiveness reviews; establishing control maturity and control/process enhancements using industry control frameworks -- American Institute of Certified Public Accountants (AICPA) Trust Service Criteria, ISO 27002 code of practice for information security management, Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and Related Technologies (COBIT), or National Institute of Standards and Technology (NIST) CSF.
• DE performing risk and IT audits; implementing ITGC or cybersecurity controls for large-scale, complex IT infrastructures -- mainframe, distributed, network, Cloud, vendor hosted (SaaS/PaaS); reviewing vendors independent SOC 1 or SOC 2 audit reports to confirm vendor has appropriate controls in place for the services provided or to safeguard data; and creating executive communications, focused on risk, impact, and corrective actions, using existing Governance, Risk, and Compliance (GRC) tools (RSA Archer, IBM Open Pages, ServiceNow, or MetricStream).
• DE performing risk assessments and IT audits of secure software development lifecycle (SDLC) processes and procedures; automating code build and deployment pipelines or orchestration solutions, using GitHub, SonarQube, Jenkins, Artifactory, or uDeploy; assessing software development controls, identifying potential gaps and inconsistencies, and making recommendations for improvement and mitigation; and overseeing remediation plans and providing recurring management status to senior management.

Responsibilities

• Develops and monitors controls related to DevOps, Cloud, and new technologies to meet audit objectives and requirements.
• Identifies, tracks, monitors, reports, and advises any risks to external audit engagements.
• Helps enhance and run external audit oversight program activities, including defining and executing the external audit strategy and program.
• Develops best in class standards and practices for external audits.
• Works closely with the various business unit technology risk and Enterprise Technology Risk (ETRA) Center of Excellence (COE) to perform proactive risk and control assessments for externally audited environments, monitors technology controls, and documents remediation plans.
• Conducts in depth information technology risk assessments including documenting controls, identifying potential gaps and/or inconsistencies, and making sound recommendations for improvement and/or mitigation.
• Develops analytics to proactively identify risk across the firm mainly in high impact areas including logical access, application resiliency, cloud, and vendor.