Working on the Information Security Risk and Compliance team, you will play a critical role in ensuring the confidentiality, integrity, and availability of data assets while complying with regulatory requirements and industry best practices.
Identifying, classifying, and outlining mitigation plans for risks associated with the handling, storage, and transmission of sensitive data within our organization are core functions of this role.This position requires a deep understanding of data governance principles, data classification methodologies, strong understanding of technology risk management, and regulatory frameworks and compliance standards.
A well-qualified candidate will be comfortable taking direction from management and be able to work autonomously when given an assignment or project.The candidate must have strong written, verbal communication and organization skills, and a solid understanding of different data storage technologies, regulations around Data Security and risk management. Project management and attention to detail as a must. They are also expected to help mentor junior members of the team.
Responsibilities:
Data Classification and Inventory:
- Develop and maintain a comprehensive inventory of organizational data assets, including their classification levels, sensitivity, and associated risks using our Data Security platform.
- Implement data classification frameworks and methodologies to categorize data according to its level of sensitivity, criticality, and regulatory requirements.
- Collaborate with business units and data owners to identify and document data flows, usage patterns, and access controls for classified data.
Risk Assessment and Analysis:
- Conduct thorough risk assessments of classified data assets to identify potential vulnerabilities, threats, and compliance gaps.
- Analyze and evaluate the effectiveness of existing controls and security measures in mitigating data-related risks.
- Develop risk treatment plans and mitigation strategies to address identified vulnerabilities and improve the overall security posture of data assets.
Compliance and Regulatory Alignment:
- Ensure compliance with relevant data protection regulations, such as GDPR, CCPA, etc., by assessing data handling practices against regulatory requirements.
- Monitor changes in data protection laws and regulations to ensure ongoing compliance and adapt data classification policies and procedures.
- Provide guidance and support to business units on regulatory requirements and industry best practices related to data classification and risk management.
Data Protection Controls:
- Recommend and implement technical controls, encryption mechanisms, access controls, and data loss prevention (DLP) solutions to protect classified data from unauthorized access, disclosure, or misuse.
- Conduct periodic assessments of data protection controls and security measures to validate their effectiveness and identify areas for improvement.
- Collaborate with IT and Security teams to integrate data protection controls into technology systems and infrastructure.
Reporting and Communication:
- Prepare and present comprehensive risk assessment reports, findings, and recommendations to senior management.
- Communicate effectively with business units and data owners to raise awareness of data classification requirements, risks, and responsibilities.
- Collaborate with internal audit teams and external auditors to facilitate data classification reviews and compliance assessments.
- Work closely with the project team to ensure that deliverables are on time and budget.
Tool Implementation and Maintenance:
- Design and architect the implementation of Data Discovery and DLP tools.
- Coordinate with the vendor account management teams to improve the capabilities of the tools and participate in QBRs.
- Prepare and present to stakeholders new tool improvements and enhancements.
Qualifications:
- Bachelor's degree in Information Security, Computer Science, or related field; Master's degree preferred.
- Relevant certifications such as CISSP, CISM, CRISC, or equivalent are highly desirable.
- Experience working in an agile development environment.
- 5+ years of experience in data classification, risk management, or information security.
- Strong understanding of data classification methodologies, risk assessment frameworks, and regulatory requirements.
- Experience with data protection technologies, such as encryption, access controls, and data loss prevention (DLP) solutions.
- Familiarity with relevant data protection regulations, such as GDPR, CCPA, etc.
- Excellent analytical and problem-solving skills, with the ability to effectively identify and prioritize data-related risks.
- Strong communication skills, with the ability to convey complex technical concepts to non-technical stakeholders.
- Strong project management capabilities and holding self and others accountable for their deliverables.
- Ability to mentor junior team members.