Information Security Analyst (Governance, Risk, and Compliance)
Delivering one-of-a-kind cloud technology, accompanied by award winning customer service, Paylocity is a software development company in a category of its own.
The Information Security Analyst will play an instrumental role in maintaining Paylocity’s information security policies, standards, and procedures and will work collaboratively with the entire organization to ensure that these documents are adhered to. Reporting to the CISO, this position will also work closely with the CFO, the Treasurer, the SVP of Product Development, the SVP of Operations, and all departments throughout the organization. The person in this key role will also ensure that Paylocity’s IT governance processes are properly designed and are functioning effectively and that the organization maintains its compliance with all applicable legal, regulatory, and contractual requirements. Finally, the person in this role will ensure that Paylocity properly identifies, assesses, and manages its enterprise risks.
Are you the leader we are looking for?
Who you are:
• Passionate about information security and privacy
• An evangelist regarding the importance of information security
• Committed to an ongoing partnership with other high profile groups within the organization (e.g. software development) to insure information security objectives are being understood and embraced
• Established presence within information security communities
• Ability to anticipate problems and recommend decisive action
• Excellent communication skills (both written and oral)
• Ability to work collaboratively across the organization
• Values their role as an advisor and business enabler more than their role as a rule enforcer
• Self-driven, creative, and resourceful
How we work:
• Casual, collaborative environment which embraces and operates under our shared principles
• Complete transparency with open, honest discussions about our progress
• Close working relationships across all areas of the organization
• Focus on outcomes and learning
What we offer:
• A strong commitment to Information Security both financially and organizationally
• An existing talented and passionate Information Security team
• The chance to meaningfully contribute to a vast market opportunity
• A collaborative environment where our security team is empowered to help steer the direction of the team
• A place to contribute your security knowledge company-wide through forum panels with our product development team
• Annual training allowance to learn new things and bring it back to the team.
• Flexible remote work schedule
• Employee Stock Purchase Program (ESPP) which enables employees to share in the long-term growth and future success of the company
• Experience defining, revising, and implementing corporate information security policies.
• Experience coordinating corporate-wide initiatives for obtaining security related assurances (e.g., ISO 27001, SSAE-16, etc.) including process control design and testing.
• Experience creating and maintaining a BCDR program and deliverables and serve as SME/facilitator for the business and IT.
• Familiarity with federal and state legal regulatory requirements related to information security and privacy.
• Well versed in the information security issues affecting financial service organizations and cloud based application service providers.
• Understands the basic tenants of enterprise risk management (threat management, vulnerability management, and risk treatment).
• Experience creating, implementing, maintaining, monitoring, and enforcing the Security Awareness Program.
• Experience creating and maintaining the security vendor management program.
• Possess at least one of the following professional designations (or one of similar stature):
o Certified Information Systems Security Professional (CISSP)
o Certified Information Security Manager (CISM)
o Certified Information System Auditor (CISA)
o Certified Information Security Manager (CISM)
o Certified in the Governance of Enterprise Information Technology (CGEIT)
• Bachelor’s degree in information security, information assurance, computer science, management information systems, computer information systems, or a related discipline.
During the last three months, you would have:
• Ensured that Paylocity continues comply with all applicable legal and regulatory requirements (especially the Sarbanes-Oxley Act), maintains an unqualified SSAE-16 audit report, and identifies, assesses, and manages its enterprise risks.
• Maintained Paylocity’s information security and privacy related policies, standards, and procedures.
• Assessed corporate wide compliance with Paylocity’s policies and standards and take action to remediate non-compliance.
• Ensured that Paylocity’s practices satisfy the requirements of the Sarbanes-Oxley Act and Paylocity’s SSAE-16 audit as well as all applicable federal, state, and local laws and regulations.
• Identified compliance objectives and mapped program deliverables to the requirements.
• Ensure that Paylocity is properly evaluating security risks through a risk assessment framework that assesses the potential impact of threats to the business and Paylocity’s vulnerability to these threats and recommends controls to reduce risks to levels that align with the organization’s risk tolerances and appetite.
• Worked collaboratively with all Paylocity departments to ensure that local practices are consistent with corporate information security policies and standards.
• Monitored the legal and regulatory landscape to proactively address new information security and privacy related requirements.
• Managed and coordinate Paylocity’s business continuity planning and disaster recovery planning programs as well as periodic exercises and tests.
• Acted as a professional liaison to Paylocity’s SSAE-16 service auditor, its third party internal audit and consulting partners, and its external auditor.
• Collected information for customer due diligence requests and generate responses to customer due diligence questionnaires.
• Managed Paylocity’s vendor management / third party service provider oversight program and conduct initial vendor due diligence as well as ongoing vendor reviews.
• Coordinated and document an annual enterprise risk assessment as well as ad hoc project risk assessments.
• Designed and deploy a company-wide security awareness program that is tailored to the needs of specific roles within the organization and is measurable an auditable.
• Managed Paylocity’s vulnerability management program by collecting vulnerability data, tracking the status of vulnerabilities, and reporting on vulnerabilities.
• Designed and implemented a program to collect and report information security related performance metrics and key risk indicators.
• Represented Paylocity in the Information Security arena through vendor relations and participation in professional organizations.
• Attended a conference or seminar outside of Paylocity to stay fresh and tap into new ideas
• Glassdoor's Employees Choice Award in 2014
• 7-time Winner on Chicago Area's 101 Best and Brightest Companies to Work For
• Inc Magazine listed Paylocity as an Inc 5000 Fastest Growing Privately Held Firm from 2007-2013
• Ranked #14 on Built in Chicago Top 100 Digital Companies for 2014
• Ranked #24 on Forbes 2013 List of Top 100 Digital Companies in Chicago
• Ranked #38 on Crain's Fast Fifty List of Chicago's Fastest Growing Companies in 2014
• Ranked #334 on Deloitte's 2014 Technology Fast 500 List of Fastest Growing Companies in North America