Risk Analyst Ii

Information Technology Risk and Compliance Opportunity in Enterprise Technology Services

Risk Analyst II

Location(s):      

20 E. Thomas Road, Phoenix, AZ  85012

2300 Windy Ridge Parkway, Atlanta, GA  30339 

7755 Third Street North, Oakdale, MN  55128

877 Executive Center Drive West, St. Petersburg, FL 33702

12325 Port Grace Boulevard, La Vista, NE 68128

Preferred Location(s): Phoenix, AZ, Atlanta, GA, Oakdale, MN or St. Petersburg, FL 

Qualified candidates in all locations and seeking 100% work from home encouraged to apply.

Role Type:          Full time

Summary:

As a member of Osaic’s, Privacy, and Data Management team, this position will report to the Director of Information Technology Risk and Compliance and will provide independent and objective assessments to determine if all significant risks are identified and appropriately reported by management and evaluate whether risks are adequately controlled.

The Information Technology Risk and Compliance team is seeking a Risk Analyst II with advanced Information Technology Audit and Risk Management experience.  This position will work with business areas throughout the firm to identify and manage Information Security and Information Technology Risks.  Our ideal candidate would provide regulatory guidance and conduct continuous risk assessments, emphasizing NIST controls. 

Responsibilities:

• Proactively identify and communicate current and emerging risks with appropriate business and leaders.

• Support and maintain the Cyber Threat Management Program.

• Support the creation and maintenance of IT General Controls (to include security controls) to support Cyber Threat Management Program.

• Support the creation and maintenance of the IT General Controls (to include security controls) governance process that leverages the MITRE ATT&CK framework to normalize all known threats, tactics, and procedures to better prioritize changes to security controls in Production.

• Support the creation and maintenance of IT General Controls (to include security controls) catalogue to visualize overall control effectiveness over time. 

• Support and maintain tracking of Information Technology and Compliance risks.

• Support the operationalization of internal and external Information Technology and Information Security Risk Assessments.

• Support the development of Information Technology and Information Security Control Testing plans.

• Support the development of a self-service portal to pull audit data and UCF test data.

• Support the implementation of a Governance, Risk, and Compliance (GRC) platform.

• Support the creation and ongoing generation of Risk Reports.

• Assess the criticality of control gaps for escalation.

• Support the enhancement of the Risk Register as needed.

• Fosters a culture of security across the organization by participating in critical conversations, providing training, and advising departments on GRC matters.

• Maintain a customer centric culture. 

• Create and maintain trusted partnerships within all areas of the business.

• Create and maintain a culture of operational excellence. 

• Liaise with Information Technology on gathering data to support the quantification of various emerging risk scenarios.

• Perform IT and IS Risk assessments against Osaic’s Unified Control Framework.

• Analyze data to better understand potential risks, concerns, and outcomes of decisions.

• Aggregate data from multiple sources to provide a comprehensive assessment.

• Create reports, summaries, presentations, and process documents to display results.

• Collaborate with other team members and external and internal auditors to effectively analyze and present data.

• Develop systems and processes for gathering and storing data for future analytic projects.

• As needed, assist with special projects related to Risk Management or internal team needs.

• Ability to travel 5% to 10% of the time throughout the year.

• All other duties as assigned.

Education Requirements:

• Bachelor’s Degree in information security, information technology, information security assurance, or related field is preferred. Significant Practical Experience will be considered in lieu of degree.

Basic Requirements:

• 3+ years of experience as a Risk Analyst in a similar company or related field.

• 3+ years of experience with Cybersecurity and Data Center Security

• 3+ years of experience with Internal/External/Application PEN Test methodologies

• 3+ years of experience with Information Security Threats

• 3+ years of experience with the NIST CSF Framework

• 3+ years of experience with IT General Controls rationalization and testing

• 3+ years of experience with Cloud, Endpoint, Mobile, IoT and Application Security

• 3+ years of experience with encryption methodologies

• Foundational understanding of the MITRE ATT&CK Framework

• 3+ years of experience with Threat Analysis, Business Analysis, Service Management and Control Governance Services

• 3+ years of experience with Threat Intelligence, Threat Hunting and Threat Response

• 3+ years of experience with security health checks, patch management, server build & decommission, and change management

• Strong partnering, communication, and presentation skills

• Strong analytical and problem-solving skills

• Experience in coordinating activities between multiple parties

• Strong relationship and team-building skills

• Experience presenting to senior leadership required

• Strong critical thinking skills

• A deep understanding of Information Technology (i.e., Active Directory, Firewalls, Routers, Infrastructure, Databases, Logging, Monitoring, Change Management, Segregation of Duties, Cybersecurity, Physical Security, IT operations, Network Security, and Cloud Computing).

• A deep understanding of Data Center operations, security, and risk assessments.

• Demonstrated ability to prioritize tasks and meet daily deadlines for projects.

• Detail oriented.

• Proficiency in Microsoft Excel, Access, Visio, and other analysis programs.

• Ability to manage multiple projects and programs simultaneously to complete work.

• Critical thinking skills with the ability to independently solve problems with data.

• Presentation skills, including public speaking and presentation creation using PowerPoint or a similar program.

• Understanding risks and internal controls and the ability to evaluate and determine the adequacy and effectiveness of controls.

• Excellent analytical skills, including the ability to anticipate issues and design appropriate solutions.

• Strong verbal and written communication skills with a shown ability to articulate effectively and authoritatively.

• All other duties as assigned.

Preferred Requirements:

• 5+ years of experience as a Risk Analyst in a similar company or related field.

• 5+ years of experience with Cybersecurity and Data Center Security

• 5+ years of experience with Internal/External/Application PEN Test methodologies

• 5+ years of experience with Information Security Threats

• 5+ years of experience with the NIST CSF Framework

• 5+ years of experience with IT General Controls rationalization and testing

• 5+ years of experience with Cloud, Endpoint, Mobile, IoT and Application Security

• 5+ years of experience with encryption methodologies

• 5+ years of experience with Threat Analysis, Business Analysis, Service Management and Control Governance Services

• 5+ years of experience with Threat Intelligence, Threat Hunting and Threat Response

• 5+ years of experience with security health checks, patch management, server build & decommission, and change management

• Experience with integration of the MITRE ATT&CK framework with risk management and control assessments.

• Experience required with FINRA, FFIEC, PCI, CCPA, NYDFS regulatory requirements.

• Excellent analytical skills, including the ability to anticipate issues and design appropriate solutions.

• Experience in building technical risk assessment or security assurance programs.

• Experience working with regulators

• Demonstrated ability to prioritize tasks and meet daily deadlines for projects.

• Detail oriented.

• Proficiency in Microsoft Excel, Access, Visio, and other analysis programs.

• Ability to manage multiple projects and programs simultaneously to complete work.

• Critical thinking skills with the ability to independently solve problems with data.

• Presentation skills, including public speaking and presentation creation using PowerPoint or a similar program.

• CISSP, SANS GIAC-GSEC or CISA certifications are strongly preferred.  Other relevant certificates will be considered.

• Understanding risks and internal controls and the ability to evaluate and determine the adequacy and effectiveness of controls.

Osaic is an equal opportunity employer. We celebrate diversity in our workplace and we hire the most qualified candidates without regard for age, ethnicity, gender, gender identity or expression, language differences, nationality or national origin, family or marital status, physical, mental, and developmental abilities (or the perception of a disability), genetic information, race, religion or belief, sexual orientation, skin color, social or economic class, education, work and behavioral styles, political affiliation, military service, caste, or any other characteristic protected by law.

Applicants for employment in the US must have valid work authorization that does not now and/or will not in the future require sponsorship of a visa for employment authorization in the US by Osaic.

Osaic does not consider applications from candidates who do not meet the minimum qualifications stated in the job posting.

Osaic only accepts candidates from contracted recruiting firms and only for searches approved prior to submissions. Fees will not be paid for unsolicited submissions.