The GRC Security Analyst is responsible for assessing and documenting the organization’s compliance and risk posture as they relate to its information assets. The GRC security analyst will maintain expertise in cyber-security intelligence, to ensure effective system-wide security analysis, intrusion detection, standards and testing, risk assessment, awareness and education and development of policies, standards and guidelines.
Essential Duties & Responsibilities
• Assist in the development and implementation of system-wide risk management functions of the information security program to ensure information security risks are identified and monitored.
• Internally assess, evaluate and make recommendations to management regarding the adequacy of security controls for the information and technology systems.
• Assist in developing and maintaining Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for the Data Governance Security Program and initiatives.
• Support the system-wide information security compliance program, ensuring IT activities, processes and procedures meet and support the defined policies, procedures and processes.
• Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legal and regulatory interpretation.
• Implement strategies and project plans for dealing with audits, compliance checks, external assessment processes for internal and external auditors related to information security programs.
• Provide guidance, evaluation and input on responses to audits impacting information security programs.
• Conduct Information Security due diligence on 3rd party vendors to ensure adherence to organizational, regulatory or legal standards.
• Develop routine reports in accordance with GRC metrics
• Works with the CISO to determine the acceptable level of risk for enterprise computing platforms.
• Liaise with key functional teams such as HR, IT, Marketing, Finance, Product Management, Development, General Counsel, and the Business to identify new applications and service providers in use and the associated security controls to secure the data.
• Investigates incidents and events that include potential HIPAA and other data breaches, data leakage, brand reputational risks, malware propagation, system compromises etc.
• Assist in the management and maintenance of the enterprise wide IS Security Awareness Program which includes phishing simulations, computer-based training, proactive communications on latest threats, workshops and newsletters.
• Work with the CISO to ensure the Information Security team stays abreast of new regulatory, legal and/or compliance data security requirements.
• Ensure compliance with HIPAA and applicable legal and regulatory requirements.
• Other security-related projects that may be assigned according to skills and organizational priorities.