The Risk and Compliance Analyst will play an instrumental role in maintaining our information security policies, standards, and procedures and will work collaboratively with the entire organization to ensure that these documents are adhered to. The person in this key role will also ensure that our IT governance processes are properly designed and are functioning effectively and that the organization maintains its compliance with all applicable legal, regulatory, and contractual requirements. Finally, the person in this role will ensure that our company properly identifies, assesses, and manages its enterprise risks. Reporting to the Manager of Information Security, this position will also work closely with the CFO, the VP of Product Development, the VP of Operations, and all departments throughout the organization.
Principal Duties and Responsibilities
- Maintain CWIE’s information security and privacy related policies, standards, and procedures.
- Assess corporate wide compliance with CWIE’s policies and standards and take action to remediate non-compliance.
- Ensure that CWIE practices satisfy the requirements of the PCI-DSS, SOC1, SOC2 audits as well as all applicable federal, state, and local laws and regulations.
- Ensure that our company is properly evaluating security risks through a risk assessment framework that assesses the potential impact of threats to the business and CWIE vulnerability to these threats and recommends controls to reduce risks to levels that align with the organizations risk tolerances and appetite.
- Work collaboratively with all departments to ensure that local practices are consistent with corporate information security policies and standards.
- Monitor the legal and regulatory landscape to proactively address new information security and privacy related requirements.
- Manage and coordinate business continuity planning and disaster recovery planning programs as well as periodic exercises and tests.
- Act as a professional liaison to our auditors and consulting partners.
- Collect information for customer due diligence requests and generate responses to customer due diligence questionnaires.
- Manage vendor management / third party service provider oversight program and conduct initial vendor due diligence as well as ongoing vendor reviews.
- Coordinate and document an annual enterprise risk assessment as well as ad hoc project risk assessments.
- Design and deploy a company-wide security awareness program that is tailored to the needs of specific roles within the organization and is measurable an auditable.
- Manage our vulnerability management program by collecting vulnerability data, tracking the status of vulnerabilities, and reporting on vulnerabilities.
- Designing and implementing a program to collect and report information security related performance metrics and key risk indicators.
- Ability to sit for long periods of time.
- Ability to type for long periods of time.
- This position is full time. Employee is expected to work 40 hours weekly.
- Schedule will be determined by the supervisor. Employee is expected to follow the schedule.
- Employee is to report to his or her supervisor if unable to attend work.
- Experience defining, revising, and implementing corporate information security policies.
- Experience coordinating corporate-wide initiatives for obtaining security related assurances (e.g., ISO 27001, SSAE-16, etc.) including process control design and testing.
- Familiarity with federal and state legal regulatory requirements related to information security and privacy.
- Well versed in the information security issues affecting financial service organizations and cloud based application service providers.
- Understands the basic tenants of enterprise risk management (threat management, vulnerability management, and risk treatment).
- Experience in business continuity planning and vendor management is a plus.
- Bachelor’s degree in information security, information assurance, computer science, management information systems, computer information systems, or a related discipline.
- Possess at least one of the following professional designations (or one of similar stature):
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information System Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified in the Governance of Enterprise Information Technology (CGEIT)
- Demonstrated excellent interpersonal skills.
- Ability to interface effectively with all levels of employees/management.
- Ability to stay focused to ensure that projects are completed accurately and on time.
- Demonstrated excellent organizational skills
- Ability to prioritize and complete multiple interdepartmental tasks in a timely fashion.
- Excellent verbal and written communication skills
|• FLSA: Exempt
• Medical Insurance
• Dental Insurance
• Vision Insurance
• $50,000 Life Insurance
• 401k matching
|• Unlimited use bus/light rail passes
• Free lunch on weekdays (5 full-time chefs)
• Paid Time Off
• Company sponsored outings