Sr. GRC Security Analyst
Start a Rewarding Career with Alliant
What will your day look like?
You will be responsible for supporting Alliant’s Information Technology and Security (IT/S) Governance, Risk Management, and Compliance initiatives and projects. The incumbent will oversee the business’ IT/S requirements and obligations mandated by regulatory, legal and voluntary requirements.
The Sr. GRC Security Analyst will support requirements of three programs: 1) Governance – ensuring appropriate decision-making structures and processes and managing creation and maintenance of governance documents (e.g. policies, standards, procedures) of Information Technology and Security teams. 2) Risk Management – identify, analyze, and facilitate decision-making and actioning on risks. Ensure alignment with ERM processes and organizational risk appetite. 3) Compliance – identify organizational mandatory and voluntary requirements, translate them into IT/S controls, facilitate implementation of requirements and perform regular control assurance exercises.
Responsibilities
Do you see yourself doing this?
- Manage and execute projects to ensure design of controls is aligned to compliance/regulatory requirements, including improving existing compliance/regulatory processes and controls.
- Assist and lead in the execution of compliance programs around Privacy, FFIEC, NCUA, HIPAA, PCI, CIS, NIST CSF SOC 1/2/3, and GLBA.
- Work closely with control owners and stakeholders to gather required documents and address questions.
- Perform and lead compliance assessments and data security governance reviews for internal applications and products as well as service providers utilizing established IT risk assessment frameworks and assessment programs.
- Prepare and present assessment findings to a cross-functional teams such as product, engineering, security, sourcing, legal, and compliance.
- Lead an operating rhythm to report key metrics including status of assessments and issue management.
- Develop IT/S policies, standards, and procedures and work through the process to get them reviewed, approved, and published. Lead training and awareness session to explain the requirements to others.
- Identify organizational and regulatory requirements and draft IT/S controls required to meet.
- Participate in other security and audit compliance efforts.
- Regularly communicate project status, compliance results and issues to control owners, stakeholders and management.
- Interact with multiple cross functional teams to educate, train and address questions related to process, policies, controls and risk mitigation.
- Consider and promote continuous improvement in respective processes, controls and compliance certifications.
- Stay current and utilize industry standards and best practices to drive improvements in overall security posture.
- Learn, understand, utilize and administer our GRC platform.
- Support timely remediation of regulatory and audit findings and recommendations.
- Support vendor due diligence to define third party risk management efforts.
- Identify strengths and weaknesses in the security program as they relate to privacy, security, business resiliency and compliance frameworks.
- Maintain strong oversight of third parties, vendors and business partners to safeguard against undue risk presented by external entities. Escalate to security management and business unit leads when points of weakness are discovered.
- Analyze findings, and document, recommend and report program gaps to security leadership.
- Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance.
Qualifications
What makes you a great fit?
You’ll be a great fit if in addition to the Completion of a Bachelor’s degree in computer science, information assurance, MIS or related field, or equivalent industry experience, required, and you have:
- 5+ years’ experience in GRC or cybersecurity as a practitioner with at least 2+ years’ exposure with various security frameworks.
- Strong business acumen and proven ability to align with security practices and compliance responsibilities.
- Experience and understanding of various regulatory requirements and laws, including but not limited to FFIEC, NCUA, PCI, SOX, HIPAA, GDPR and GLBA. Additional experience in one or more of the following: ISO 27001/2, ITIL or NIST.
- Exceptional written and verbal communication skills, and proven ability to translate security and risk to all levels of the business.
- Capacity to understand legacy and progressive technology and security controls along with respective risk.
- Working knowledge of technologies such as cloud computing, DevOps and application security is required.
- Up-to-date understanding of a wide-range of incident response, system configuration, vulnerability management and hardening guidelines.
- Track record of acting with integrity, being inquisitive, adaptable, and communicating effectively.
- Preferred experience with cloud environments such Amazon Web Services (AWS) and Microsoft Azure.
- Prior experience with leading GRC systems from vendors such as RSA, MetricStream, IBM and TruOps.
- Demonstrated problem-solving capabilities, and ability to manage complex local and international security requirements.
- Self-motivated and well-organized, with the vision to position controls in anticipation of threats.
- Successful track record of managing external entities’ contracts and relationships, and mitigating risks to business development opportunities.
- Familiarity with state, federal and international privacy laws.
- Maintain or is working toward one or more of the following Compliance, Risk Management, or Governance certifications: CRISC, CISM, CGEIT or CISA.
When you’re happy, we’re happy!
As a thank you for joining our team, you’ll benefit from:
- Competitive medical, dental, and free vision benefits
- Competitive compensation plan
- Contributions towards gym memberships
- Generous PTO and banking holidays off