Position Summary:
The Data Security Controls senior analyst position will be an integral member of the Information Security and Risk Management team. This role will be responsible for design, development, implementation and monitoring of security controls to identify and mitigate information security risk with data protection. Work in Chief Information Security Officer (CISO) office under Associate Director, Information Security Governance, Risk and Compliance, this role serves as an information security technology expert for Grant Thornton to support the design, implementation, and maintenance of a cohesive security operations/monitoring solution for data security controls. The successful candidate will have a good mix of deep technical knowledge, understanding of industry standards and controls, and a demonstrated background in information security risk management program.
Key Responsibilities:
- Provide ongoing assessment of InfoSec’s risk profile through regular monitoring and status reporting of risks, issues, events, and initiatives within data governance processes
- Serve as a subject matter expert with internal and external auditors to address and resolve audit questions and findings relative to core process risk management
- Support the testing of control design and the testing of control effectiveness for assigned areas as needed
- Partner with stakeholders, including process owners and control owners, to document processes (via process flows), risks, and controls, enhance control language, and assist to develop/maintain control objectives that validate controls are being performed in compliance with policies, standards, procedures, and other requirements to mitigate security risk
- Support iterative review of assessment results, working with appropriate stakeholders across the lines of defense
- Perform 3rd party security risk assessment, control testing, and reporting
- Assess exposure to risk, measure operational risk against ERM frameworks, assist in establishing policies and procedures to minimize risk, identify ways to protect the organization from data loss and reputational damage
- Coordinate efforts with InfoSec’s Issues and Events Management and Control Testing functions, to continually update control effectiveness and residual risk rating of InfoSec’s business processes as needed
- Assist with operationalizing Data Classification technology deployment, implementation, and functional issues
- Support the execution of front-line controls, self-assurance, and risk assessment activities (ad-hoc controls review, business process management (BPM), risk control self-assessment (RCSA), and independent risk and audit activities as directed
- Monitor and oversee the progress of risk assessments; address and resolve complex issues and assist with Operational Risk event remediation efforts when needed
- Perform and facilitate the collection, review, and assimilation of risk assessment data and reporting into concise and meaningful reports
Required Education & Experience:
- Demonstrated advanced verbal and written communication skills
- Excellent organization skills and be a self-motivated learner
- Bachelor’s degree in Computer Science, Engineering or related field or equivalent work experience
- Experience gathering information from a range of different sources to help identify weaknesses in security controls
- Experience with regulatory requirements (i.e. PCI; GDPR; HIPPA; Privacy; CCPA; etc.)
- CISA, CRISC, CISM, or CISSP certifications (one or more) preferred
- Expert with security control design, development, implementation, and monitoring
- Experience with information security risk management framework, assessment, audit and controls based on industry standard frameworks (i.e. NIST; ISO; COSO; HiTrust)
- Experience using GRC tools and technologies in support of the assessment/audit process (RSA Archer, Security Scorecard, Risk Recon, etc.)