16 Jan
Sr. Associate / Analyst - GRC
Vacancy expired!
- Understand, document and test IT risk and controls
- Strong Cybersecurity and Privacy knowledge
- Understanding of vendor risk and data analysis
- Lead and define risk assessment process
- Strong Understanding of business and technical requirements for GRC tool
- Develop and conduct Risk Assessments.
- Follow-up with business as needed for clarification on the risk tier
- Apply methodology to determine risk tier
- Review business and technical assessments questionnaires and evidence. Schedule and conduct review calls with vendors: ensure and track questionnaires sent to vendors, track and report on abandoned vendors, receive and review questionnaires responses and evidence, hold review calls, finalize report
- Coordinate other due diligence that need to be done in addition to security questionnaire when needed
- Develop corrective action plans and monitor third party remediation efforts
- Document and communicate findings and observations to internal and external stakeholders
- Track open issues and related remediation execution (programmatic)
- Utilize a GRC tool as the central repository for risk and control information.
- Collaborate with internal stakeholders to develop continued program process improvements
- Report on assessment outcomes, risk levels, and remediation progress
- Continuously raise awareness on the program through training, info-sessions and interactions with business stakeholders, security teams, legal, etc.
- Bachelor’s degree with a major in business or management information system or relevant experience
- In depth knowledge of Third Party Risk Management
- Performing IT risk assessments against OWASP, PCI, GLBA, NIST, ISO, SIG/AUP or other standards
- Collecting, analyzing, and interpreting qualitative and quantitative data from multiple sources to analyze findings in the context of the overall third party risk.
- Demonstrated ability to prepare management level reporting and effectively communicate observations across all levels of the organization
- Strong knowledge base in information security, risk management, privacy, operations, enterprise networking, systems evaluation, and architecture
- Demonstrated experience in the areas of risks and controls across various IT platforms
- Strong analytic skills for problem analysis and resolution
- Advanced MS-Office skills including Excel and PowerPoint
- Ability to communicate complex technology risk assessment information to non-technical business stakeholders to ensure they comprehend the risk being assigned to them
- Ability to discern business relevant risk associated with technology control deficiencies, and to identify the corresponding remediation which is required to mitigate the business impact
- Deep understanding and knowledge of security, risk and privacy regulatory frameworks such as NIST, SOX, PCI, HIPAA, ISO, Safe Harbor, CSA, etc.
- This individual requires strong written, verbal communication and organizational skills as they will be working on multiple projects with technology stakeholders across the organization
- Preferred certifications: CISSP, CISA, CIPP, CRISC, CEH, and/or CISM
- Self-starter who can function independently with limited direction
- Experience in managing Third Party Risk with a large volume of vendors globally
- Experience in the development, implementation, and/or maintenance of a global enterprise IT and security risk and control framework
- Ability to understand the “big picture” by aligning activities to business objectives and partnering with other IT GRC functions to align on strategies and enterprise priorities
- Ability to prioritize activities based on business criticality, audits, threats, vulnerabilities, and regulatory requirements
- Experience creating a risk-aware culture
- Experience with IT GRC platforms, including the ability to drive maturity and enhancements to the platform, tools, and methodologies
Vacancy expired!