GRC - Snr Analyst

• The Cybersecurity Governance, Risk, Compliance (GRC) Senior Analyst position is responsible for managing risks related to information security, privacy, governance, vendor security assurance, policy, and compliance
• Contributes to preserving the high standards of confidentiality, integrity, and availability of EagleView mission-critical information
• Conducts Cybersecurity risk assessments, evaluates controls, and provides feedback to management and process owners on the design and effectiveness of control processes
• Implements and maintains on-going programs and processes to test the design and operational effectiveness of security controls
• Responsible for ensuring IT assurance and compliance related activities are completed in accordance with industry standards and regulatory requirements
• The position reports to the Manager, GRC, and is responsible for executing the key functions of information risk management, security compliance, governance, and information security assurance

Primary Responsibilities:

In these roles, you are part analyst, engineer, and advisor. You have the ability to ramp up quickly into a solid, productive member of the Security GRC team.

You are organized and have the ability to innovate and automate as we continually look to improve our processes and tools. You may own process areas, projects, or technologies for governance, risk and compliance purposes.

You create and maintain relationships with business and technical experts through the company who provide expertise in security requirements and solution management. You are expected to work independently while still asking for help on some areas. You are a bridge builder helping to coordinate and bring together various parts of the organization around a common process through the use of tools, and communications channels.

Ensure compliance with laws, regulations, and industry standards, and compliance programs (e.g. SOC2, PCI, ISO 27001, NIST 800-X)

Create processes to support effective risk identification, evaluation, communication, and remediation

Participate in Risk Management Committee meetings

Work with risk owners to develop plans of action to reduce or mitigate risks

Analyzes security controls for effectiveness of design by evaluation of control documentation and process

Analyzes security controls for operational effectiveness by evaluation of control evidence

Contribute to corporate information risk management strategy, policies, standards, and tactical plans

Contributes to a comprehensive internal security audit program that validates existing security controls

Contribute to the company-wide security awareness program and compliance training

Coordinate annual enterprise risk assessment and PCI-self assessment activities

Ensure all systems, processes, and changes are formally documented

Works closely with internal and external auditors, regulators, and examiners, including coordination and compilation of technology documentation requests, reports, and assurance letters to ensure security compliance

Maintains the Risk Register and support processes to define and measure risks, then plan risk responses with company leadership

Ability to work collaboratively with internal and external departments, vendors, and other key stakeholders.

Required Knowledge, Skills and Experience:

Bachelor s degree in a technology or business-related field (BSc or BBA preferred)

8 years overall experience in Information Security, Risk Management, or IT audit

5 years of hands-on experience supporting one of more of the following programs:

o Risk Management

o Vendor Risk Management

o Security Audits and Compliance (especially SOC2)

o Vulnerability Management

Understanding of controls and risks sufficient to identify and evaluate control effectiveness and identify gaps between risks and controls.

Working knowledge of business and risk assessment methodologies/ mitigation strategies using industry standards (e.g., COBIT, ITIL, ISO 27001:2013, NIST, OWASP, etc.)

Very high attention to detail, with strong skills in managing/presenting data and information

Very strong skills in documentation, including policies, standards, processes and procedures

Ability to work independently and productively without constant supervision

Critical thinking and analytical ability

Excellent verbal and written communication skills

Preferred Knowledge, Skills and Experience:

Certification such as SANS GIAC, CISA, or CISSP preferred

Previous experience in a software development company is preferred

Experience using a GRC management platform (e.g. Archer, ZenGRC, etc.)