IT Governance Risk & Compliance Analyst

92128, San Diego

 

ICW Group is hiring an IT Governance Risk and Compliance Analyst to support companywide information security risk and governance programs by understanding company technology compliance requirements, performing control reviews against industry standards, identifying and mitigating technology risks, and supporting the completion of various IT governance initiatives. The job exists to assess and document the compliance and risk posture as it relates to information assets.

Minimum Qualifications:

  • Bachelor's degree (IT, Business, Accounting or Statistics) Required.
  • 6+ years of related experience and/or training
  • Experience in Sarbanes-Oxley or Model Audit Rule requirements.
  • Experience in applying IT control & security frameworks such as SSAE18 SOC2, COBIT, NIST Cyber Security Framework, ISO 27001.
  • Knowledgeable in Personal Identifiable Information, Personal Information, and Payment Card Industry compliance requirements.
  • CISA, CRISC, CISM, CISSP, and/or CGEIT preferred.

ESSENTIAL DUTIES AND RESPONSIBILITIES

Supports information security risk and governance programs

  • Assists in the management of company compliance requirements such as Model Audit Rule, data privacy laws including CCPA, NYDFS, and industry certifications to ensure proper internal controls for reporting.
  • Develops and maintains technology related policies, procedures, and standards that address security requirements related to strategies, regulations, business & technology risks, and industry standards.
  • Performs information security control reviews and assessments across technology and business teams to address risk and compliance against various industry and technology frameworks (i.e., SSAE18 SOC2; NIST Cybersecurity Framework, COBIT, and ISO27001).
  • Identifies, quantifies, tracks, and leads mitigation of risks and control exceptions in collaboration with Third Party Risk program requirements and communicate results to department leadership.
  • Oversees and executes control activities such as periodic system access reviews to ensure activities meet defined requirements, policies, and regulations.
  • Performs information security risk assessments on third party vendors and external business partners in coordination with Third Party Risk Program.

Participates in the completion of various IT governance initiatives

  • Partners with team members to fulfill technology and information security related information requests (e.g., RFPs and RFIs, third party requests, and ad hoc technology reviews).
  • Assists with the creation, alerting, and monitoring of key department metrics to ensure effective system-wide security analysis, intrusion detection, and risk assessment.
  • Assists with the completion of IT Governance deliverables supporting IT Financial Management, IT Strategic Planning, and reporting to executives and senior leaders.

Develops industry knowledge in the field of regulations.

  • Supports and interprets information provided by Internal/External Audit for relevant compliance concerns.
  • Reviews, analyzes, and interprets controls for design and operational effectiveness to determine adherence to regulatory, contractual, and corporate policies and standards.
  • Shares industry information with the applicable stakeholder groups.
  • Keeps up to date on developing regulatory concerns, changing IT and information security trends.

EDUCATION AND EXPERIENCE

  • Bachelor's degree from four-year college or university required with major or emphasis in IT, Business, Accounting or Statistics.
  • Minimum 6 years of related experience and/or training; or equivalent combination of education and experience.
  • Experience in Sarbanes-Oxley or Model Audit Rule requirements.
  • Experience in applying IT control & security frameworks such as SSAE18 SOC2, COBIT, NIST Cyber Security Framework, ISO 27001.
  • Knowledgeable in Personal Identifiable Information, Personal Information, and Payment Card Industry compliance requirements.

CERTIFICATES, LICENSES, REGISTRATIONS

None required; CISA, CRISC, CISM, CISSP, and/or CGEIT preferred.

KNOWLEDGE AND SKILLS

  • Ability to apply fundamental Information Technology General Controls, concepts, practices, and procedures in area of Information Technology.
  • Understanding of fundamental information security concepts and technology.
  • Ability to develop security standards and guidelines based on best practices and industry standards.
  • Ability to read, analyze, and interpret industry control framework concepts.
  • Must be able to assess and apply the types of controls, such as detective, preventative and corrective.
  • Proven organizational, analytical and time management skills.
  • Demonstrated ability to negotiate and influence.
  • Excellent interpersonal skills.