Governance, Risk, and Compliance Analyst

Governance, Risk, and Compliance Analyst

The Role:

The COMPLY Security Governance, Risk, and Compliance (GRC) Analyst will help to develop and maintain information collection and internal audit functions in support of COMPLY’s information security policies. The GRC Analyst serves as a critical resource within the CISO department regarding information security policy implementation, interpretation, and compliance. The GRC Analyst assists in the collection of metrics, through internal audit and testing, to assess and prioritize information security and cybersecurity risk across the organization. The GRC Analyst works closely with the CISO to help facilitate compliance with regulatory requirements and information security policies.

The GRC Analyst will also work closely with other security analysts on projects associated with risk assessment and mitigation, tools and controls selection, and to contribute with efforts that pertain to risk and compliance.

What you'll do: 

The Governance, Risk, and Compliance Analyst is responsible for the analysis and documenting of COMPLY’s compliance and risk alignment to the organization’s security policies as they relate to our information assets.

The purpose of this position is to provide skilled technical and information security expertise for the implementation and verification of the information security risk management program. Responsibilities require project management, technical analysis, and GRC data collection experience, as well as expertise in effective system-wide security analysis; intrusion detection; standards and testing; risk assessment; awareness and education; and standards and guidelines.

• Internally assess, evaluate, and make recommendations to management regarding the adequacy of the security controls for COMPLY's information and technology systems.

• Assist with proactively preparing for and dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors; SOC, ISO, NIST, GDPR, etc.

• Assist with client requests and vendor based due diligence information gathering.

• Assist with the standardization of metrics and policy/procedure adherence information collection.

• Assist with risk and threat analysis and be able to contribute to risk mitigation and response.

• Assist with metrics dashboard creation/update.

Governance and Compliance

• Assists with the development and implements of a data security risk reporting framework, aligned with ISO-27000 series standards, for management teams and governance committees.

• Assists with the designs and documentation of technical, administrative, and physical controls to ensure the business demonstrates compliance

• Works with the CISO on the remediation of control gaps

• Assures that periodical audits/tests are completed and exceptions are documented and periodically reviewed.

• Assists with the evaluation of the effectiveness of the information security program by developing, monitoring, gathering, and analyzing information security and compliance metrics for management.

Information Security Risk Assessment

• Assists with the identification, analysis, evaluation, and documents information security risks and controls based on established risk criteria.

• Contributes to the recommendation of controls to mitigate security risks identified via risk assessment process.

Security Policy Management and Workforce Training and Awareness

• Supports workforce security activities including culture, awareness, and training.

• Assists with eDiscovery and collection of data to support investigations of possible security or policy violations.

• Researches, recommends, and contributes to information security polices, standards, and procedures.

• Assists with the lifecycle management of information security policies and supporting documents.

• Works with other organizational participants to implement information security policies.

• Assists with review of information security sections within supplier contracts, identifies gaps, and recommends security and data privacy content to close gaps.

• Assists with the process creation, implementation, and maintenance of inventory of relevant suppliers/vendors, controls, and risks for ongoing vendor risk management activities.

Requirements:

• Education: Bachelor’s or master’s degree in Cybersecurity, Information Technology, or related field.

• Experience: 4+ years of progressively responsible experience in a FinTech setting, addressing risk and compliance with regulatory requirements

• Certifications: CISSP, CISM, CISA, and/or other specific training and certification in security risk management and controls frameworks (such as ISO 2700 series or NIST 800-53)

Skills:

• Good written and oral communication skills

• Effective team member

• Critical thinking

• Enterprise Security, Privacy, & Info Sharing

• Organizational Awareness and Understanding

• Technology Awareness

• Ability to work well with people from different disciplines with varying degrees of technical experience.

• Thorough attention to detail

• Good problem-solving skills

• Ability to work comfortably under pressure and deliver on tight deadlines

• Ability to maintain the highest standards of confidentiality, integrity, and personal accountability with company or client sensitive/restricted data

The compensation range for this role is specific to the United States and takes into account a wide range of factors that are considered in making compensation decisions including, but not limited to, skill sets, training, licensure and certification, and experience. A reasonable estimate of the base salary range for this role would be $100,000-$115,000 plus applicable bonus/benefits offerings, etc., as those similarly situated within the Company.

COMPLY is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, disability, sex, sexual orientation, gender identity, or national origin. Nothing in this job posting should be construed as an offer or guarantee of employment.

•

Last updated on Jul 10, 2023