The IT Governance, Risk & Compliance (IT GRC) Analyst shall be responsible for the execution, and delivery of activities supporting the associated IT GRC and information security programs. These programs directly facilitate the establishment, growth and maturity of IT governance, risk management, and compliance practices at AutoNation.
The IT GRC Analyst should be able to demonstrate a good proficiency in risk management concepts (related to information security), and should be familiar with the NIST family of frameworks, and standards. The candidate shall also support the design, implementation, and ongoing administration of the RSAM GRC system, and must demonstrate experience with either this toolset, or RSA Archer GRC.
The position reports to the IT GRC Senior Manager in the Information Security department, and works closely with teams in Information Security, Technology (IT) support and operations, Internal/External Audit, and business/system/information owners to deliver on listed responsibilities, and provide guidance on information protection, and controls compliance.
- Organize and operate the cyber security awareness program, including but not limited to: execution of phishing simulation and awareness campaigns, selection and deployment of training content from service providers, curation of content for regular awareness media; and associated reporting and metrics.
- Assist in the development and maintenance of information security policies, standards, and control procedures to enable compliance with applicable regulations and industry standards, including Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes Oxley (SOX).
- Perform security risk assessments on new or existing IT products, services, and technologies to analyze controls, identify and evaluate mitigating control opportunities and assign residual risk using the organizational risk management methodology. Support the development and execution of an annual enterprise-level IT risk assessment.
- Provide consultative advice to internal customers in the areas of risk management, technology and business process security controls, to enable them to make informed risk decisions, develop acceptable risk mitigation strategies, documented processes, and achieve controls compliance.
- Identify opportunities and support efforts to drive organizational information security risk posture and process improvement. Maintain strong working relationships with individuals and groups involved in managing information security risks across the organization.
- Work closely with, and manage internal and external stakeholders, including third party service providers.
- Support information security risk management program reporting efforts.
- Support IT GRC team members as necessary with other IT GRC program areas, including but not limited to: vendor risk management, risk assessments, PCI DSS self-assessments, SOX internal control reviews, and implementation of the RSAM GRC toolset.
- Perform other duties as assigned by management.
- High School or equivalent degree required.
- Bachelor’s degree preferred in Computer Science or related field.
- Two (2) years’ experience in information security, IT audit, IT compliance, or related experience required. Big Four experience preferred
- Preferred industry certifications: CISA, CISM, CRISC, CISSP, or similar information security/IT audit disciplines.
- Good interpersonal, written, and oral communication skills.
- Possess a general understanding of underlying IT infrastructure, architecture, and concepts.
- Good time management and related organizational skills, including appropriate sense of urgency, a proactive approach, and a suitable ability to anticipate and manage project lifecycle events, issues, and challenges.
- Strong analytical and problem solving skills. Advanced use of Microsoft Excel and/or Tableau preferred.
- Ability to work both independently, and as part of a team to deliver quality work product in a timely fashion in a fast-paced environment.
- Demonstrate understanding of PCI DSS, SOX, and NIST Cybersecurity Framework. In addition, understanding of NIST SP 800-53 r4, COBIT, and ITIL frameworks preferred.
Next Possible Position:
IT GRC Senior Analyst
- Extended working hours may be required as dictated by management and business needs.
- Ability to travel (10%) to multiple facilities as business needs dictate.
- May be required to sit and review information on a computer screen for long periods of time.
- May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.
- Corporate role.