Position Summary:
The Data Security Controls senior analyst position will be an integral member of the Information Security and Risk Management team. This role will be responsible for design, development, implementation and monitoring of security controls to identify and mitigate information security risk with data protection. Work in Chief Information Security Officer (CISO) office under Associate Director, Information Security Governance, Risk and Compliance, this role serves as an information security technology expert for Grant Thornton to support the design, implementation, and maintenance of a cohesive security operations/monitoring solution for data security controls. The successful candidate will have a good mix of deep technical knowledge, understanding of industry standards and controls, and a demonstrated background in information security risk management program.
Key Responsibilities:
- Assist with operationalizing Data Classification technology deployment, implementation, and functional issues
- Support iterative review of assessment results, working with appropriate stakeholders across the lines of defense
- Perform 3rd party security risk assessment, control testing, and reporting
- Perform and facilitate the collection, review, and assimilation of risk assessment data and reporting into concise and meaningful reports
- Support the execution of front-line controls, self-assurance, and risk assessment activities (ad-hoc controls review, business process management (BPM), risk control self-assessment (RCSA), and independent risk and audit activities as directed
- Serve as a subject matter expert with internal and external auditors to address and resolve audit questions and findings relative to core process risk management
- Partner with stakeholders, including process owners and control owners, to document processes (via process flows), risks, and controls, enhance control language, and assist to develop/maintain control objectives that validate controls are being performed in compliance with policies, standards, procedures, and other requirements to mitigate security risk
- Assess exposure to risk, measure operational risk against ERM frameworks, assist in establishing policies and procedures to minimize risk, identify ways to protect the organization from data loss and reputational damage
- Support the testing of control design and the testing of control effectiveness for assigned areas as needed
- Coordinate efforts with InfoSec’s Issues and Events Management and Control Testing functions, to continually update control effectiveness and residual risk rating of InfoSec’s business processes as needed
- Provide ongoing assessment of InfoSec’s risk profile through regular monitoring and status reporting of risks, issues, events, and initiatives within data governance processes
- Perform other duties as assigned
- Monitor and oversee the progress of risk assessments; address and resolve complex issues and assist with Operational Risk event remediation efforts when needed
- Identify areas of improvement in the existing processes, methodology, and policies. Identify gaps and recommend enhancements. Drive, adopt, and enforce best practices in report templates and tools
Required Education & Experience:
- Expert with security control design, development, implementation, and monitoring
- CISA, CRISC, CISM, or CISSP certifications (one or more) preferred
- Experience using GRC tools and technologies in support of the assessment/audit process (RSA Archer, Security Scorecard, Risk Recon, etc.)
- Demonstrated advanced verbal and written communication skills
- Excellent organization skills and be a self-motivated learner
- Experience gathering information from a range of different sources to help identify weaknesses in security controls
- Experience with regulatory requirements (i.e. PCI; GDPR; HIPPA; Privacy; CCPA; etc.)
- Experience with information security risk management framework, assessment, audit and controls based on industry standard frameworks (i.e. NIST; ISO; COSO; HiTrust)
- Bachelor’s degree in Computer Science, Engineering or related field or equivalent work experience