Senior GRC Analyst

Summary: The Governance, Risk, and Compliance Analyst is responsible for the assessing and documenting of the company’s compliance and risk posture as they relate to the company’s information assets.  Specific focus on software development process, testing and vulnerability management related to software Tungsten Automation produces.

The purpose of this position is to provide highly skilled technical and information security expertise for development and implementation of the information security risk management program. Responsibilities require expertise to ensure effective system-wide security analysis; intrusion detection; standards and testing; risk assessment; awareness and education; and development of policies, standards and guidelines.  This role will have a strong emphasis on Security & Compliance related to Software Lifecycle and development practices.

Reporting position: The Principal GRC Analyst reports to the Sr. Director Security & Compliance

Key Responsibilities

Risk

• Participate in the implementation of the system-wide risk management function of the information security program to ensure information security risks are identified and monitored.
• Internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the Company’s information and technology systems.
• Expands corporate risk process to product development vulnerability management to Corporate Risk

Policy/Compliance

• Contributes to the system-wide information security compliance program, ensuring IT activities, processes, and procedures meet defined requirements, policies and regulations.
• Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant controls
• Execute strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors, PCI DSS, SOC2, ISO 27001/NIST 800-171 and FISMA
• Interfaces with Product teams to communicate security and compliance requirements, standards and processes

Outreach/Awareness

• Interacts in both oral and written communications with all levels of System staff including; Corporate IT, business system owners, general counsel, auditors, technology vendors and contractors, in matters related to information security and security awareness materials.

Audit

• Facilitate Internal Audit, and interface with outside consultants as appropriate on required security assessments and audits
• Coordinate and track all information technology and security related audits including scope of audits, remediation timelines and responses to external auditors. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the Company in its best light. Provide guidance, evaluation and advocacy on audit responses.

While the job description describes what is anticipated as the requirements of the position, the job requirements are subject to change based upon any changing needs and requirements of the business.

• Experience with privacy and risk management tools
• 10+ years practical experience performing audits and implementing compliance programs
• Experience as an auditor for external audit firms is a benefit
• Experience with successful SOC 2, ISO 27001 attestation either as an auditor or a consultant
• Bachelor in Computer Science preferred
• Certifications beneficial include CISA, CRISC, CRMA, CISSP

• 5-7 years hands-on experience with system design, application QA testing, change management, interfacing with configuration, software developers
• Must be able to assess computer hardware, software, and systems for security risks or violations and work with IT, business owners, and technology vendors to recommend process improvements or technical solutions. Develop strategies to address awareness and training for all stakeholders as well as technical solutions. Must be able to assess the status of complex multi-location projects as well as identify and implement appropriate corrective measures to resolve issues as they arise. Must have a strong customer service orientation and the ability to project that attitude to customers in remote locations.
• Prior experience conducting internal and external risk assessments and compliance measures and / or remediation items and implementing and enforcing policies and procedures
• Familiar with GRC tools for managing audit controls, evidence gathering and reporting
• Experience with ISO 27001, NIST, SSAE18, PCI DSS, EI3PA, ISO 27000, HIPAA, GDPR, or similar frameworks
• Experience performing third party assurance assessments
• Excellent client relationship and customer service skills, with a clear client focus
• High degree of independence and exceptional work ethic with a team player attitude and a solution-oriented mind
• Familiarity with core IT and security related to Software Development Lifecycle
• Exceptional interpersonal, written and oral communication skills
• Certification in or progress toward at least one designation in an information security, risk, compliance or related discipline (e.g. CISSP, CISM, CISA)