Vacancy caducado!
- The Principal Information Security Governance and Compliance Analyst is responsible for driving governance and compliance as part of the Information Security program. This primary function of this role involves focusing on the development and lifecycle management of policies, standards, controls, and compliance frameworks, as well as performing risk-based compliance testing. This position works closely with teams within the Information Technology department, as well as general business areas.
- This position reports to the Manager of Information Security Governance and Compliance.
- Act as an information security governance and compliance subject matter expert
- Develop, publish, and maintain information security policies, standards, and control procedures
- Maintain the policy lifecycle management function, ensuring information technology and security policies are reviewed and updated on a regular basis
- Work closely with the Information Security Risk Management team to design, document, and test controls aligned to mitigate IT risks within the IT organization
- Participate heavily in the care and feeding of the ServiceNow GRC solution and its regular care and feeding
- Maintain the control inventory and control mappings to security compliance frameworks such as NIST CSF/800-53, ISO 27001/2, etc.
- Conduct regular risk-based compliance testing of information security controls, reporting exceptions and monitoring remediation efforts
- Develop metrics and KPIs (Key Performance Indicators) for the information security program and prepares executive reports
- Conduct the annual NIST Cyber Security Framework (CSF) self-assessment and presents findings and accomplishments
- Participate heavily in the development, growth, and maturity of the governance and compliance management program within the ServiceNow GRC (governance, risk, and compliance) solution
- Stay updated with compliance, regulatory, and industry best practices applicable to company.
- Participate in various stages of the project management lifecycle to ensure successful implementation of security controls
- Develop and executes effective presentations at all levels within the organization
- Act as a consultant to the information security and information technology departments, providing guidance and helping to mature the overall security posture of the organization
- Eight or more years of work experience in information security, IT auditing, risk management, and/or compliance management
- Bachelor's degree in computer science, information security, information technology, or related field of study; or equivalent professional work experience
- Professional governance, risk, or compliance certification such as CISA, CRISC, CGEIT, etc.
- Demonstratable expert-level experience in writing, editing, and revising policies, control procedures, and other governance documents (Ability to provide samples a plus)
- Expert-level experience in executing compliance control testing programs and processes
- Experience implementing a variety of information security frameworks & controls across a large organization
- Strong working experience with the NIST Cybersecurity Framework, ISO 27001 & 27002, Cloud Security Alliance (CSA), OWASP, or CIS Benchmark
- Knowledge of risk management processes, techniques, and tools
- Familiarity with network technologies and protocols (switches, routers, firewalls, VPNs, remote connection technologies, and multiple domain environments)
- Knowledge of hybrid IT systems, network security, application security, identity & access management, vulnerability management, endpoint security, and cloud environments (AWS, Azure, Salesforce, etc.)
- Master's degree in related field preferred
- Professional information security certification such as CISSP, CISM, ISO Lead Auditor, etc.
- Experience implementing GRC/IRM tools (experience with ServiceNow GRC/IRM a plus)
- Knowledge of scripting languages (such as python, PowerShell, etc.)
- Experience in food, beverage, CPG, or distribution industries a plus. Experience in other regulated industries is also welcome
- Big 4 experience a plus
- Strong knowledge of cybersecurity governance, regulations, and security frameworks
- Understanding and comprehension of a wide range of compliance and technology frameworks (NIST Cybersecurity Framework (CSF) and 800-53, ISO 27001 & 27002, Cloud Security Alliance (CSA), OWASP, CIS Benchmark, etc.)
- Expert-level experience in executing compliance control testing programs and processes
- Expert-level technical writing, project management, and presentation development skills
- Implementing and using GRC/IRM tools to manage GRC processes (experience with ServiceNow GRC/IRM a plus)
- Skill in developing and maintaining metrics, KRA's, and KPI's relevant to the governance and compliance disciplines
- Articulate ideas in a business and user-friendly language
- Act as a consultant to various parts of the organization in the area of governance and compliance
- Knowledge of IT systems and supporting technologies
- Knowledge of cloud security concepts and best practices
- Knowledge of scripting languages
- Effective communication and decision-making abilities
- Able to articulate technical processes (both oral and written) to different audiences and with varying levels of complexity
- Physical demands with activity or condition for a considerable amount of time include sitting and typing/keyboarding using a computer (e.g., keyboard, mouse, and monitor)
- Physical demands with activity or condition may include occasional to rare amount of time include walking, bending, reaching, standing, and stooping
- May require occasional lifting/lowering, pushing, carrying, or pulling up to 20lbs
- Travel may be required as needed to remote locations
- Comprehensive medical benefits
- Competitive pay, 401(k)
- Retirement plan
- and much more!
Vacancy caducado!