IT - Governance Risk and Compliance - IT - Gov Analyst

TITLE: IT - GOVERNANCE ANAYLSTSTATUS: EXEMPTREPORT TO: MANAGER - IT - GOVERNANCE, RISK AND COMPLIANCEDEPARTMENT: IT - GOVERNANCE RISK AND COMPLIANCE JOB CODE: 11349 PAY SCALE: $95,300.00 - $115,000.00 ANNUALLY   GENERAL DESCRIPTION: The governance, risk, and compliance (GRC) governance analyst assist with IT and Security governance, risk, and compliance policies, processes, technologies, and assessments. Reporting to the IT GRC Manager, the analyst provides assurance for adherence to company policies and procedures, and contributes to activities related to the development, implementation, compliance, and adherence to the organization’s IT policies and assessment activities. This position works closely with the Golden 1 Information Security teams for security reviews and evidence collection activities that align with internal and external auditing requirements as well as any security investigations and incidents. This position will also be responsible for the reporting, tracking and verification of IT Change Management procedures and Business Continuity and Disaster Recovery (BCDR) testing processes. The ideal candidate is technical and possesses at least five years of experience in IT governance, compliance, or risk management. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business critical.   TASKS, DUTIES, FUNCTIONS: Manage the reporting requirements for Golden 1’s IT GRC program, ensuring IT activities, processes, and procedures meet defined requirements, policies, and regulations. Manage assessments and gap analyses of Golden 1’s IT control environment against industry and regulatory governance frameworks (i.e., NIST Cyber Security Framework, ISO 27001, SOC 1/2, COBIT, ITIL, Sarbanes-Oxley, and CCPA/GDPR). Apply GRC expertise across key lines of business, including products, practices, and procedures. Coordinate and track IT related audits activities including scope, timelines, evidence gathering, and remediation task outcomes. Ensure Golden 1’s IT teams maintain up-to-date configuration documentation for systems and processes. Provide guidance, evaluation, and advocacy on audit responses for the department. Maintain oversight in a GRC-related platform. Produce metrics, reports, and dashboards as applicable. Execute Golden 1’s IT strategy for dealing with increasing number of audits, compliance checks and external assessment processes. Oversee the management of system user access reviews including data collection and follow-up with system owner approvals and timely submissions as required. Identify strengths and weaknesses in the GRC program as they relate to privacy, security, business resiliency and compliance frameworks. Support third-party risk assessments and manage third-party risk and remediation activities. Ensures proper reporting and response to alleged violations of company rules, regulations, policies, procedures, and standards of conduct by initiating and cooperating in investigative procedures. Work with auditors as appropriate to keep audit focus in scope and remediation delivery commitments. Maintain excellent relationships with audit entities and provide a consistent perspective that continually puts Golden 1 in its best light. Facilitate Business Continuity/Disaster Recovery Planning and Testing exercises. Support the development of strategies to address GRC awareness and training for all stakeholders and provide on-site guidance and instructions to other IT teams as needed. Maintain and enforce confidentiality regarding information being processed, stored, or accessed by the system. Perform other duties as assigned. PHYSICAL SKILLS, ABILITIES, AND EXERTION UTILIZED IN THE PERFORMANCE OF THESE TASK: At least Five plus years’ experience in cybersecurity as a practitioner and with at least two to three plus years exposure with various security frameworks. Minimum of 3 years’ experience responding to, analyzing, and communicating information security incidents and overseeing remediation actions to completion. Strong business acumen and security technology skills for well-rounded proficiency, as well as proven ability to align with security practices and compliance responsibilities. Experience and understanding of various regulatory requirements and laws, including but not limited to PCI, SOX, HIPAA, GDPR and GLBA. Additional experience in one or more of the following: ISO 27001/2, ITIL or NIST. Exceptional written and verbal communication skills, and proven ability to translate security and risk to all levels of the business. Capacity to understand legacy and progressive technology and security controls along with respective risk. Working knowledge of technologies such as cloud computing, DevOps and application security is required. Up-to-date understanding of a wide range of incident response, system configuration, vulnerability management and hardening guidelines. Track record of acting with integrity, taking pride in work, seeking to excel, being curious and adaptable, and communicating effectively. Proven project leadership with both legacy and emerging technologies to assess and manage business risk and enforce security controls. Prior team leadership experience preferred. Must be self-directed, able to work on own initiative. Ability to work under pressure and tight deadlines; may be required to work extended hours to complete tasks. ORGANIZATIONAL CONTACTS & RELATIONSHIPS: INTERNAL: All levels of staff and management, including Senior Management EXTERNAL: Members, vendors, suppliers, government agencies, credit union industry associations and peers at other financial institutions. QUALIFICATIONS: EDUCATION: Bachelor's degree in Business Administration, Accounting, Management Information Systems or Computer Science is strongly preferred. Advanced Degree in Business Administration or other related area is preferred. EXPERIENCE: Minimum five years’ experience in cybersecurity as a practitioner and with at least two to three plus years exposure with various security frameworks, experience in a technology risk, security, or compliance role preferably in a financial institution. Detailed understanding of risk management and controls assurance. Strong understanding of information security controls and standards such as ISO 27001/2, NIST, CSF, and related frameworks. Thorough understanding of various regulatory requirements and laws such as, but not limited to PCI, SOX, HIPAA, HITRUST, GDPR and GLBA. Experience in a role balanced between business stakeholders and a central technology service organization. Certifications, such as CISSP, CRISC, CISA, CIPP, CISM, are well regarded. KNOWLEDGE / SKILLS: Must have strong written skills, communication skills, and possess the ability to building trust and relationships with senior executives. This diversified position requires a strong ability to multitask.   Strong analytical, problem solving, and decision making skills to effectively understand and resolve complex strategies and issues. Must have good interpersonal skills and the ability to interact with employees at all levels of responsibility within the organization. PHYSICAL REQUIREMENTS: Prolonged sitting throughout the workday with occasional mobility required. Corrected vision within the normal range. Hearing within normal range. A device to enhance hearing will be provided if needed. Ability to lift 20 lbs. as may be required. Occasional movements throughout the department daily to interact with staff, accomplish tasks, etc. May require long work hours to accomplish tasks. Occasional travel may be required locally, statewide, and throughout the United States to attend seminars and vendor group meetings. Overnight travel and evening schedules included. Prolonged use of telephone to accomplish tasks. LICENSES / CERTIFICATIONS: Holds or is working toward one or more of the following: CISSP, CRISC, CGEIT or GRCP. Project Management Professional (PMP) and (PfMP) certifications from the Project Management Institute (PMI) or Certified Business Analyst Professional (CBAP) from the International Institute of Business Analysis (IIBA) preferable, but not required.   THIS JOB DESCRIPTION IN NO WAY STATES OR IMPLIES THAT THESE ARE THE ONLY DUTIES TO BE PERFORMED BY THIS EMPLOYEE. HE OR SHE WILL BE REQUIRED TO FOLLOW OTHER INSTRUCTIONS AND TO PERFORM OTHER DUTIES REQUESTED BY HIS OR HER SUPERVISOR THAT ARE WITHIN HIS / HER KNOWLEDGE, SKILL AND ABILITY AS WELL AS HIS / HER MENTAL AND PHYSICAL ABILITIES. REV. 3.17.2023