Risk Compliance Analyst

As a Risk Compliance Analyst, you will support the risk management program and related processes across all aspects for the business. The Risk Compliance Analyst is responsible for assisting the Risk Manager with the day-to-day tasks of the risk management program, including compliance monitoring reviews and other key initiatives. Responsibilities include coordinating and maintaining vendor risk management, internal and external client information requests, and conducting periodic audits of internal controls to ensure compliance.

Essential Functions

• Understand and maintain proficiency with NIST Cybersecurity Framework (CSF) and Service Organization Controls (SOC) 2 for Service Organizations: Trust Services Criteria including updates, organizational impacts, and practical use.
• Perform recurring risk analysis on vendors, audit results, vulnerability testing and security assessments to identify security issues that could lead to compromised systems, loss of integrity, and/or disruption of availability.
• Assist with and participate in Security Policy, Business Continuity Plan, Disaster Recovery Plan, and Incident Response Plan updates, testing, remediation, and planning. Ensure the documents align with industry standards and business process changes.
• Interface with customers to prepare information request responses regarding our policies, procedures, compliance standards, environment, etc.
• Work with vendor owners to risk rate vendors using the defined vendor management methodology.
• Work with vendors to ensure partner agreements, including business requirements and Information Security requirements, are met, and followed and vendor due diligence information is completed.
• Conduct internal control audits and monitoring of security controls, configuration standards, and procedures. Provide management with reporting results and metrics. Track remediation efforts and provide guidance regarding process and control gaps.
• Maintain control and risk registers and provide guidance to owners.
• Assist with the creation and administration of security awareness programs and educational efforts. Track employee compliance with issued programs.
• Compile data and prepare reports for management, security leadership team, and security team.
• Accurately maintain and comply with documentation, communication, time entry, and administrative procedures in a timely manner.
• Attend required company and departmental meetings.
  
  

Qualifications

• Bachelor’s degree in accounting, business, economics, finance or technology, and three years’ experience in information security, risk management, audit, or compliance; or an equivalent combination of education and experience.
• Successful completion of an employment background check including criminal and financial history.
• Valid driver’s license, proof of personal insurance, and an acceptable driving record.
  
  

Required Skills

• Knowledge of basic cybersecurity principles.
• Ability to apply an organization's goals and objectives to develop and maintain architecture.
• Proficiency with business collaboration tools such as MS Office applications.
• Demonstrates attention to detail.
• Effective organizational and time/task management skills.
• Ability to prioritize responsibilities and operate with changing priorities; Strong ability to exercise independent judgment.
• Self-starter with the ability to perform with little or no direct supervision.
• Excellent communication skills in working with technical and non-technical people, and the ability to develop and maintain collaborative relations among all levels of an organization.
• Treats people with respect; Works with integrity and ethically; Upholds organizational values.
• Follows policies and procedures; Completes administrative tasks correctly and on time; Supports organization's goals and values.
• Demonstrates accuracy and thoroughness; Looks for ways to improve and promote quality; Applies feedback to improve performance; Monitors own work to ensure quality.
• Knowledge or experience with data privacy laws, CJIS, CMMC or other similar regulations preferred but not required.