- This position's primary function is to plan and execute audits of the firm’s information technology environment, including the preparation of client audit responses and the execution of third party vendor audits on behalf of the firm. The Senior Security GRC Analyst provides technical and thought leadership in the continual improvement of the firm's ISMS; including audit, risk management, records management, and monitoring control systems.
- Participate and lead all aspects of the IT audit function; including planning, audit program development, control analysis, testing, issue development, and reporting.
- Respond to client information security audits in a timely, accurate, and effective manner.
- Provide effective responses to client Request for Proposals and Requests for Information in support of the business development function.
- Ensure that scoped systems are monitored and audited relative to the requirements set forth in the firm's ISMS.
- Report on compliance with the firm’s information security policies and procedures.
- Monitor control systems to ensure that appropriate information access levels and security clearances are maintained.
- Provide guidance and support for the System Governance Virtual Team.
- Coordinate internal and external audit engagements with constituents.
- Provide status reports to the IT GRC Manager and other ISMS stakeholders
- Maintain records of audit findings and ensure that corrective actions are implemented per the agreed remediation schedule.
- Develop standardized responses and documentation for external audits.
- Develop and provide metrics evaluating the effectiveness of the IT GRC function, and IT GRC's compliance with assigned ISMS responsibilities.
- Provide guidance to Legal regarding acceptable contract terms and conditions.
- Review and redline security schedules and other security requirements associated with proposed client contracts.
- Provide input into policies, standards and procedures. Author standards and procedures designed to safeguard sensitive information.
- Contribute to the Firm's security-related information repositories and other marketing/awareness endeavours.
- Monitor the latest developments in the IT GRC discipline and utilize that knowledge for continual improvement by providing formal and informal strategic and tactical plans and roadmaps to the IT GRC Manager and other stakeholders.
- Mentor junior members of the IT GRC group.
Technical Knowledge and Skills
- Thorough understanding of security concepts and best practices.
- Authoritative understanding of audit principles applied to common information security domains such as security policy, organizational structure, asset management, human resources, physical security, operations, communications, access control, development and acquisition, incident management, business continuity, and compliance.
- Authoritative understanding of principles, theories, techniques, and methods of information system analysis and risk assessment.
- Authoritative understanding of security frameworks such as ISO 27001, NIST, SANS CSC.
- Working knowledge of common information systems such as Active Directory, networking, endpoint management, application development principles, and SQL.
- Sufficient business acumen to understand the business drivers associated with risk management concepts, particularly those affecting client audits, RFP's, and contractual terms.
- Functional leadership skills such as the ability to direct the action of others, to facilitate meetings, and to report status in a clear and concise manner.
- Strong written and oral communication skills. Ability to convey complex concepts to non-technical constituents. Proficiency in oral and written English.
- Strong project management, analytical and interpersonal skills.
Minimum Education / Experience
- Possess a Computer Science, Information Assurance, or Information Systems Bachelor’s Degree or substantial equivalent experience
- 3+ years of practical experience in information security technical operations
- 3+ years of management or supervisory experience in information security with a focus on IS audit, compliance, and risk management.
Special Requirements, Licenses, and Certifications
- ISACA CRISC or CGEIT
- CISSP or SSC
- RSA Archer Certified Administrator desirable