Position Overview

The Senior IT Compliance Analyst is to assist in the development, implementation, and operations of the governance, risk, and compliance function within the organization. The candidate will be responsible for establishing and maintaining policies, standards, and control objectives and for advising on the development of security controls. The candidate will assist in establishing, measuring, and communicating information security metrics regarding the effectiveness of the overall information security program. This includes the development and monitoring of key risk indicators and key performance indicators both for operational and executive leadership stakeholders. This role will coordinate with regulators, auditors, and internal stakeholders to ensure the organizational GRC objectives are being met.

Responsibilities

Information Security Governance:

• Creates, maintains, and socializes security policies, standards, and control objectives for the enterprise.
• Creates and maintains a portfolio of information security metrics and reporting, specifically to monitor risk, risk reduction, and security program operational effectiveness. The consumers for this reporting are operational and executive leadership.
• Leads and reports on security awareness training, phishing exercises, security training for development teams, and other security-specific training efforts.

Risk & Compliance:

• Coordinates annual PCI certification activities.
• Establishes, implements, and monitors compliance with security controls; communicates and tracks resolution of security exposures, misuse, and/or noncompliance situations; escalates as appropriate to senior leadership.
• Coordinates security assessments of internal and external facing information services; guides compliance with Follett policy and customer requirements.
• Lead the 3rd party risk management activity, including performing security reviews for third-party contracts involving Follett data or systems. Assists with responding to security questionnaires, RFP responses, audits, contract reviews, and associated activity.
• Performs information security risk assessments of vendors, contracted services, and other third-party services providers and facilitates risk assessments for new business ventures.
• Conduct risk assessments of information systems which includes creating asset profiles, evaluating threat likelihood and impact, and identifying mitigating controls to determine the inherent and residual risk to systems.
• Provides GRC-specific guidance regarding security best practices to internal stakeholders.
• Manages the execution of and reports on security awareness training, phishing exercises, and security education throughout the enterprise

Requirements

• Bachelor's degree or equivalent - Computer Science, Information Systems or related discipline OR demonstrated ability to meet the job requirements through a comparable number of years of applicable work experience.
• 5 +years of related experience in Information Security Governance, Risk & Compliance.
• Strong written and oral communication skills and the ability to engage positively with the business community and IT management, staff, and customers.
• Extensive experience with regulatory obligations and frameworks, PCI-DSS, NIST-CSF, COBIT, etc.
• Strong understanding of risk management principles and the ability to identify and remediate control gaps.
• Ability to relate business requirements and risks to technology implementation for security-related issues.
• Extensive knowledge of risk assessment processes and how to assess a functional area, apply policy and standards and monitor for compliance and effectiveness.
• Experience performing or participating in security maturity assessments and subsequent remediation activities is highly desired.
• Experience creating metrics dashboards or reports to monitor security program effectiveness is required specifically.
• Decisive and highly motivated with a strong customer focus and attention to detail. Strong analytical and problem-solving skills. Solid project management skills, especially in a cross-functional environment.
• Strong team-oriented interpersonal skills; ability to effectively interface with a wide variety of people.
• Previous experience working with third-party providers.
• Extensive experience creating and maintaining policies, standards, and control objectives for information security programs.
• Standard working hours, 8 am-5 pm, with on-call status 24/7.
• Ability & willingness to travel moderately 10%-50%.

Certifications Required - at least one of the following:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Systems Manager (CISM)
• Certified In Risk & Information Systems Control (CRISC)