Governance, Risk and Compliance Analyst
The Governance, Risk and Compliance Analyst will work collaboratively with the all departments throughout the organization and play an instrumental role in testing adherence to Paylocity’s information security policies, standards, and procedures. The person in this key role will also ensure that Paylocity’s IT governance processes are properly designed and are functioning effectively and that the organization maintains its compliance with all applicable legal, regulatory, and contractual requirements. The Governance, Risk and Compliance Analyst will ensure that all identified issues are documented, risk ranked, and retested as necessary.
What You'll Do:
- Assess corporate-wide compliance with Paylocity’s policies and standards and take action to remediate non-compliance.
- Ensure that Paylocity’s practices satisfy the requirements of the Sarbanes-Oxley Act and Paylocity’s SSAE-16, HIPAA, as well as all applicable federal, state, and local laws and regulations.
- Ensure that Paylocity is properly evaluating security risks through a risk assessment framework that assesses the potential impact of threats to the business and Paylocity’s vulnerability to these threats and recommended controls to reduce risks to levels that align with the organization’s risk tolerances and appetite.
- Work collaboratively with all Paylocity departments to ensure that local practices are consistent with corporate information security policies and standards.
- Monitor the legal and regulatory landscape to proactively address new information security and privacy related requirements.
- Identify compliance objectives and mapped program deliverables to the requirements.
- Participate in Paylocity’s business continuity planning and disaster recovery planning programs as well as periodic exercises and tests.
- Act as a professional liaison to Paylocity’s SSAE-16 service auditor, its third party internal audit, consulting partners, and its external auditor.
- Collect information for generating and communicating responses to customer due diligence requests and questionnaires.
- Assist in Paylocity’s vendor management / third party service provider oversight program and conduct initial vendor due diligence as well as ongoing vendor reviews.
- Coordinate and document an annual enterprise risk assessment as well as ad hoc project risk assessments.
- Assist in company-wide security awareness program that is tailored to the needs of specific roles within the organization and is measurable and auditable.
- Design and implement a program to collect and report information security related performance metrics and key risk indicators.
- Represent Paylocity in the information security arena through vendor relations and participation in professional organizations.
- Attend conferences or seminars outside of Paylocity to stay current on the latest information security related ideas, topics, and trends.
Education and Experience:
- Bachelor’s degree in information security, information assurance, computer science, management information systems, computer information systems, or a related discipline.
- Ability to test various controls throughout Technology and implement improvements to controls as needed.
- Minimum of 3 years’ experience in one or all of the following: IT Internal Audit, Governance/Risk and Compliance, Security Awareness and Education, Third Party risk assessments and IT Security.
- Possess or willing to obtain upon hire at least one of the following professional designations (or one of similar stature):
- Certified in Risk and Information Systems Security Professional (CRISC)
- Certified Information Security Manager (CISM)
- Certified Information System Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified in the Governance of Enterprise Information Technology (CGEIT)
- Experience defining, revising, and implementing corporate information security policies.
- Experience coordinating initiatives for obtaining security related assurances (e.g., ISO 27001, SSAE-16, etc.) including process control design and testing.
- Experience in maintaining a BC/DR program and deliverables and serve as SME/facilitator for the business and IT.
- Experience creating, implementing, maintaining, monitoring and enforcing the Security Awareness Program.
- Experience creating, implementing, maintaining and monitoring security policies, standards, procedures, programs, plans and processes.
- Familiarity with federal and state legal regulatory requirements related to information security and privacy.
- Well versed in the information security issues affecting financial service organizations and cloud based application service providers.
- Understands the basic tenants of enterprise risk management (threat management, vulnerability management, and risk treatment).