Senior Governance Risk And Compliance Analyst

Reporting directly to the Firm's Director of Information Security, the Senior Governance, Risk, and Compliance (GRC) Analyst is instrumental in safeguarding our Firm's data and meeting clients' security requirements. Serving as the primary point of contact for day-to-day ISO 27001 program management, and a full time member of our ISO Information Security Forum (ISF), this role will report on the performance of our Information Security Management System to the Firm’s Senior IT Leadership team and assemble key artifacts required by this program (metrics, meeting agendas, attaining ongoing compliance requirements, and assembling controls evidence). This role will lead our effort to upgrade to the ISO 27001:2022 standard, and pending strategic direction may also lead efforts to adopt the ISO 27701 Privacy Information Management System, ISO 27017 code of practice for cloud management, and other frameworks as required for adoption by our clients.
The Senior GRC Analyst will be our Firm’s primary point of contact for ongoing client security assessment requests.  As this role will be required to interface with 50-70 such requests throughout a year, the candidate shall ensure professional and error free work and look for efficiencies to best handle those which are repetitive in nature, including the curation of a standard answer/artifact bank, as well as using generative AI tools as approved for use.  This role will regularly interface with the Firm’s Risk Department and IT Leadership, as well as other departments as required, to answer questions effectively.  Taking any feedback from our client auditors, this role will be pivotal to inform the firm’s Information Security strategy in a measured manner.
The Senior GRC Analyst is a full-time member of the Firm's Information Security Department. They will collaborate with Senior Security Engineers to enhance core program elements, including incident response, assimilation of threat intelligence, vulnerability management, and continuous compliance processes.
Responsibilities
 
1. Client Assessment Response Program

• Act as the primary point of contact to track, triage, and provide a professional response to incoming client assessments/audits, RFPs, and Outside Counsel Guidelines.
• Curate a standard answer and evidence bank that ensures a consistent response to these client assessment requests.
• Ensure that all material findings are tracked and escalated to Information Security Department management.
• Work within IT, and to a lesser extent but also possible other departments within the Firm, to remediate control gaps and assemble evidence.

2. ISO 27001 Program Management

• Work with external consultants to prepare ISF meeting agendas, metrics, and other artifacts for review by ISMS leadership.
• Lead essential ISO 27001 activities such as our annual risk assessment, BCP tabletop exercises, and other periodic compliance checks (privileged account reviews, vulnerability assessments).
• Prepare for annual internal and external ISO audits by reviewing all in scope assets and required controls; and preparing required evidence to competently demonstrate our program through the entire audit process.
• Monitor and report on the management initiatives.

3. Governance and Compliance Framework:

• Within the Information Technology Department, continue to develop a set of manageable controls that help support compliance with our clients security requirements, such as:
• Producing privileged account management oversight controls.
• Producing data loss prevention oversight controls.
• Producing threat and vulnerability management oversight controls. 

4. Policy Development and Documentation

• Develop and update policies and procedures to address evolving regulatory requirements.
• Maintain a comprehensive repository of policies, ensuring accessibility and understanding across the organization.

Qualifications

• Bachelor's degree in Information Systems, Information Security, Risk Management, or a related field.
• Proven experience in governance, risk management, or compliance roles.
• In-depth knowledge of relevant industry regulations and standards.
• Strong analytical and problem-solving skills.
• Excellent communication and interpersonal skills.
• Ability to work collaboratively in a team and influence stakeholders at various levels.
• Relevant certifications (e.g., CISA, CRISC, CISSP) are a significant plus, and if not presently held, one or more should be attained within 1 year of being in the job role.

The base salary for this position is $140,000 to $180,000.