IT Risk and Compliance Analyst
Company Name:
Direct Capital Corporation
The IT Risk and Compliance Analyst assists with oversight of the Information Security risk management program, third party risk assessments, and corporate BCP/DR initiatives. This role is also responsible for executing a variety of annual/quarterly/monthly procedures/controls such as; user access reviews, policy updates, testing etc. This role also manages the interface between IT management and both internal and external auditors for the Service Organization Control (SOC 2&3) and other compliance initiatives, including providing requested audit inputs. This role reports to the CISO.
So here is what you'd be doing:
The Analyst will manage the security risk assessments for capital projects and service providers. This involves identifying the risks presented by technological and process changes. This may include the review of architecture design, supporting processes/ procedures, etc. to ensure the proper controls are in place and risks are appropriately mitigated.
Gathers relevant business, regulatory, process, and system information; validate/update process flows, risks, and controls; prepares accurate, complete, clear, and timely analysis and documentation that reflects an ability to identify risks and independently assess the adequacy and effectiveness of IT internal controls and their compliance with applicable laws, regulations, policies, and procedures.
Maintain risk register and support continuous improvement of IT risk management processes.
IT Risk Consulting: Works with management and associates to assess risks associated with technology solutions and ensures appropriate remediation strategies are employed. Consults with managers and associates to identify and assess current and emerging risks and strategic initiatives.
IT Regulatory Examinations and Internal Audits: Supports IT Audits to ensure their success. Provide assistance to IT managers and associates in writing the effective controls and action plans for any deficiencies.
IT Risk Metrics and Reporting: Leads the development of risk metric and reporting frameworks for Information Security. Delivers these metrics and reports on weekly, monthly and quarterly basis.
Enterprise Risk Management: Manage the process for gathering enterprise risks (strategic/operational, financial and regulatory). Lead the initiative to analyze residual risk and benchmark against other risks across the Company. Compile feedback into a presentation for the ERM Committee, made up of key members of Executive Management.
Maintain and help prioritize list of action items for IT Security Department
Manage testing request lists from internal and external auditors, providing the interface between IT management and the auditors
Define action plans and timelines with process owners and manage them to completion/implementation
Information Security Incident Management: Ability to investigate, document and report on security incidents from identity theft to technology level incidents.
Administers and writes IT policies, standards and procedures program. Ensures all IT Policies, Standards and Procedures meet the guidelines established for each; ensures they are properly housed, refreshed, inventoried and approved.
Draft Information Security deliverables to both internal and external partners on a variety of topics including, security breaches, policy governance, etc.
Conduct scheduled assessment to identify gaps in business continuity, emergency and disaster recovery plans.
Maintain and update plans and practices to achieve efficient and effective communication and restoration of operations during emergencies.
Coordinate Disaster Recovery initiatives and plans
Lead and manage the annual BCP exercise and resources.
Develop emergency response procedures; distribute and update emergency procedures to reflect changes in staff size, location, organization, and home office facilities. Monitor the effectiveness of procedures during evacuation drills and revises the procedures as necessary. Maintain a library of emergency response procedures.
Lead business continuity planning awareness training and identify potential business interruptions, develop safeguards against these interruptions, and implement recovery procedures in the event of a business interruption. Provide documentation and training on contingency planning concepts and procedures. Coordinate the disaster recovery team in scheduling Disaster Recovery (DR) tests to ensure critical applications are tested based on recovery standards.
What skills do you need for this role?
IT Technical Knowledge and Certifications:
One of the following is preferred but not required: CPA, CISA, CISM, and/or CISSP
SANS, ISA or ISC2 Certification desired.
Good knowledge of Industry Best Practices such as ISO 17799 and the Common Criteria
Good knowledge of TCP/IP and related protocols
Familiarity with intrusion detection and prevention techniques
Ability to conduct research into security issues and products as required
Internal Control and Risk:
Working knowledge of standard risk management/control frameworks such as COBIT, ISO, COSO and ITIL
Strong understanding of internal audit and risk-based methodologies
Sarbanes-Oxley (SOX) experience
Experience in two of three areas: IT Audit, IT Risk and Information Security
Demonstrated proficiency in assessing risk and risk management practices.
Possesses in-depth/significant knowledge of IT policies, standards and procedures frameworks and their development, implementation and update
Working knowledge and understanding of general IT concepts including applications, WAN/LAN, Network Engineering, Windows Servers, and Laptop PC
Working knowledge of regulatory requirements and guidelines
Skill:
Effective project management skills (task identification, prioritization, and documentation)
Demonstrated ability to effectively balance multiple responsibilities which may frequently change
Ability to learn information quickly and apply risk/control considerations which impact downstream decisions
Ability to interface effectively with internal and external auditors
Critical thinking skills with strong attention to detail and follow up
High degree of professionalism and personal integrity
Ability to work with a high degree of independence
Excellent documentation skills (process, control, policy, and risk documentation)
Excellent verbal and written communication skills across all levels of personnel (through executive management)
Knowledge and experience with performing ongoing risk analysis to determine what customer services, supporting business processes, systems, components and applications need to be recovered and within what time frame in order to comply with internal and regulatory recovery time objectives
Knowledge and experience with creating an ongoing Business Continuity Plan (BCP) training program for managers and staff.
Working knowledge of Internet, networking (LAN and WAN), data and voice telecommunications, and cloud computing in order to assist in the preparation of recovery procedures in these areas.
Knowledge and understanding of current disaster recovery planning techniques and software technologies, as well as the methods used in performing risk analysis and business impact analysis.
Here's the education and experience you need:
Bachelors Degree with a minimum of 3-5 years of experience in Internal Audit (IT Audit preferred), IT Risk, or Information Security.
Job Title: IT Risk and Compliance Analyst
Department: IT
Location: Portsmouth, NHEstimated Salary: $20 to $28 per hour based on qualifications.
Direct Capital Corporation
The IT Risk and Compliance Analyst assists with oversight of the Information Security risk management program, third party risk assessments, and corporate BCP/DR initiatives. This role is also responsible for executing a variety of annual/quarterly/monthly procedures/controls such as; user access reviews, policy updates, testing etc. This role also manages the interface between IT management and both internal and external auditors for the Service Organization Control (SOC 2&3) and other compliance initiatives, including providing requested audit inputs. This role reports to the CISO.
So here is what you'd be doing:
The Analyst will manage the security risk assessments for capital projects and service providers. This involves identifying the risks presented by technological and process changes. This may include the review of architecture design, supporting processes/ procedures, etc. to ensure the proper controls are in place and risks are appropriately mitigated.
Gathers relevant business, regulatory, process, and system information; validate/update process flows, risks, and controls; prepares accurate, complete, clear, and timely analysis and documentation that reflects an ability to identify risks and independently assess the adequacy and effectiveness of IT internal controls and their compliance with applicable laws, regulations, policies, and procedures.
Maintain risk register and support continuous improvement of IT risk management processes.
IT Risk Consulting: Works with management and associates to assess risks associated with technology solutions and ensures appropriate remediation strategies are employed. Consults with managers and associates to identify and assess current and emerging risks and strategic initiatives.
IT Regulatory Examinations and Internal Audits: Supports IT Audits to ensure their success. Provide assistance to IT managers and associates in writing the effective controls and action plans for any deficiencies.
IT Risk Metrics and Reporting: Leads the development of risk metric and reporting frameworks for Information Security. Delivers these metrics and reports on weekly, monthly and quarterly basis.
Enterprise Risk Management: Manage the process for gathering enterprise risks (strategic/operational, financial and regulatory). Lead the initiative to analyze residual risk and benchmark against other risks across the Company. Compile feedback into a presentation for the ERM Committee, made up of key members of Executive Management.
Maintain and help prioritize list of action items for IT Security Department
Manage testing request lists from internal and external auditors, providing the interface between IT management and the auditors
Define action plans and timelines with process owners and manage them to completion/implementation
Information Security Incident Management: Ability to investigate, document and report on security incidents from identity theft to technology level incidents.
Administers and writes IT policies, standards and procedures program. Ensures all IT Policies, Standards and Procedures meet the guidelines established for each; ensures they are properly housed, refreshed, inventoried and approved.
Draft Information Security deliverables to both internal and external partners on a variety of topics including, security breaches, policy governance, etc.
Conduct scheduled assessment to identify gaps in business continuity, emergency and disaster recovery plans.
Maintain and update plans and practices to achieve efficient and effective communication and restoration of operations during emergencies.
Coordinate Disaster Recovery initiatives and plans
Lead and manage the annual BCP exercise and resources.
Develop emergency response procedures; distribute and update emergency procedures to reflect changes in staff size, location, organization, and home office facilities. Monitor the effectiveness of procedures during evacuation drills and revises the procedures as necessary. Maintain a library of emergency response procedures.
Lead business continuity planning awareness training and identify potential business interruptions, develop safeguards against these interruptions, and implement recovery procedures in the event of a business interruption. Provide documentation and training on contingency planning concepts and procedures. Coordinate the disaster recovery team in scheduling Disaster Recovery (DR) tests to ensure critical applications are tested based on recovery standards.
What skills do you need for this role?
IT Technical Knowledge and Certifications:
One of the following is preferred but not required: CPA, CISA, CISM, and/or CISSP
SANS, ISA or ISC2 Certification desired.
Good knowledge of Industry Best Practices such as ISO 17799 and the Common Criteria
Good knowledge of TCP/IP and related protocols
Familiarity with intrusion detection and prevention techniques
Ability to conduct research into security issues and products as required
Internal Control and Risk:
Working knowledge of standard risk management/control frameworks such as COBIT, ISO, COSO and ITIL
Strong understanding of internal audit and risk-based methodologies
Sarbanes-Oxley (SOX) experience
Experience in two of three areas: IT Audit, IT Risk and Information Security
Demonstrated proficiency in assessing risk and risk management practices.
Possesses in-depth/significant knowledge of IT policies, standards and procedures frameworks and their development, implementation and update
Working knowledge and understanding of general IT concepts including applications, WAN/LAN, Network Engineering, Windows Servers, and Laptop PC
Working knowledge of regulatory requirements and guidelines
Skill:
Effective project management skills (task identification, prioritization, and documentation)
Demonstrated ability to effectively balance multiple responsibilities which may frequently change
Ability to learn information quickly and apply risk/control considerations which impact downstream decisions
Ability to interface effectively with internal and external auditors
Critical thinking skills with strong attention to detail and follow up
High degree of professionalism and personal integrity
Ability to work with a high degree of independence
Excellent documentation skills (process, control, policy, and risk documentation)
Excellent verbal and written communication skills across all levels of personnel (through executive management)
Knowledge and experience with performing ongoing risk analysis to determine what customer services, supporting business processes, systems, components and applications need to be recovered and within what time frame in order to comply with internal and regulatory recovery time objectives
Knowledge and experience with creating an ongoing Business Continuity Plan (BCP) training program for managers and staff.
Working knowledge of Internet, networking (LAN and WAN), data and voice telecommunications, and cloud computing in order to assist in the preparation of recovery procedures in these areas.
Knowledge and understanding of current disaster recovery planning techniques and software technologies, as well as the methods used in performing risk analysis and business impact analysis.
Here's the education and experience you need:
Bachelors Degree with a minimum of 3-5 years of experience in Internal Audit (IT Audit preferred), IT Risk, or Information Security.
Job Title: IT Risk and Compliance Analyst
Department: IT
Location: Portsmouth, NHEstimated Salary: $20 to $28 per hour based on qualifications.
|
|
 | |
