IT Governance, Risk & Compliance Analyst at Onbe (Remote)
Summary: The IT Governance, Risk, and Compliance Analyst will build, coordinate, and articulate summarized risk findings that are clear and useful by business partners, reduce risk by helping to prioritize and drive remediation efforts throughout the organization, and contribute to risk management, treatment, and reporting process efforts to protect data assets. The analyst's role will help prepare for and facilitate assessments and examinations by qualified security assessors. The analyst will perform third party supplier security assessments, as well as facilitate and coordinate responses for customer due diligence questionnaires.
- Perform information security risk assessments and risk management activities across the organization.
- Establish and maintain risk criteria, identify, analyze, and evaluate information security risks.
- Ensure that repeated information security risk assessments produce consistent valid and comparable results.
- Maintain repository of documented information about the information security risk assessment process.
- Conduct risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities and risks.
- Perform selection of appropriate information security risk treatment options as a result of risk assessment results, determine all controls that are vital to implement the information security risk treatment options, compare controls and verify that no vital controls have been omitted, acquire risk owner's approval of the risk treatment plan and acceptance of residual information security risks.
- Assist with the evaluation of the effectiveness of information security management and performance by developing, monitoring, gathering, and analyzing information security and compliance metrics for management.
- Develop and implement a risk reporting framework for management teams and governance committees.
- Design and document IT general controls to ensure the business demonstrates compliance with its regulatory or compliance obligations.
- Facilitate and coordinate activities and responses related to internal and external control testing including entitlement reviews.
- Facilitate the remediation of control gaps and raise critical issues to management.
- Work closely with control owners, internal and external auditors to ensure requests are completed for timely delivery to audit.
- Assist with third party audits and certifications for the organization (i.e. SOC, ISO, PCI, etc.)
- Assist with responding to customer information security requirements and due diligence questionnaires.
- Coordinate and facilitate response gathering in conjunction with other organizational application, support, infrastructure, legal, HR, and physical security teams.
- Maintain repository of customer information security requirements, track, and report on compliance.
- Research, recommend, and contribute to information security polices, standards, and procedures and work with other organizational participants from legal, human resources, information technology, compliance, physical security, the business units and others that have to implement the policies.
- Assist the lifecycle management of information security's policy and supporting documents.
- 5+ years of IT governance, risk and or compliance experience
- Knowledge of identity and access management (IAM) principles
- Experience with modern GRC tooling
- Experience reporting risk within a global enterprise, developing a culture of risk informed decision making
- Experience with risk assessments and compliance of major regulatory initiatives (e.g. SOX, PCI-DSS,)
- Experience with cyber security and information security program management and frameworks (e.g. NIST CSF, ISO/IEC 27000, etc.)
- Exposure to and familiarity with relevant standards such as ISO/IEC 27000 family - Information Security Management Systems, NIST Cybersecurity Framework, NIST 800, and applicable laws related to regulatory compliance, information security and privacy (e.g. SOX, HIPAA, GDPR, PCI-DSS)
- Knowledge of information security risk management and IT controls frameworks and methodologies (e.g. ISO/IEC 27005, COBIT, OCTAVE)
- Knowledge of Risk Management Principles (risk avoidance, transfer, mitigation, acceptance), Risk Assessment process
- Knowledge of Standardized Information Gathering (SIG) Questionnaire
This position can be office based, hybrid or fully remote in the continental United States. Onbe's employee base is mostly clustered in the Eastern and Central time zones, with offices in suburban Philadelphia and suburban Chicago.
At Onbe, a diverse group of people, ideas, and perspectives are key to achieving phenomenal things. For over 25 years, our focus has remained on building a culture of openness and ingenuity, where employees come together to innovate and build disbursement solutions that make the lives of our clients and their consumers and workforces easier and better. Our definition of success includes celebrating differences and affirming belonging. To that end, we ask employees to come to Onbe as they are and contribute their diverse perspectives, identities, and experiences.
We believe that the recruiting phase is only the very beginning of diversity and inclusion. At Onbe, we're constantly evolving the way we celebrate diversity every day and in everything we do. With several internal committees that are dedicated to mental and physical wellness, diversity, inclusion, and community outreach, we are committed to making a culture that is inclusive to all.
Onbe is proud to be an equal opportunity employer. We seek out ways to create a mindful workforce that embraces diversity and celebrates a culture of inclusion. We do not discriminate against employees or job applicants on the basis of race, color, ancestry, national origin, sex (including pregnancy), gender identity, sexual orientation, marital or family status, religion, age, disability, genetic information or military service. Our equal opportunity policy applies to all decisions of employment including hiring, placement, promotion or advancement, termination, layoff, recall, transfer, compensation, training and leaves of absence.
Medical insurance, dental insurance, vision insurance, 401(k), paid maternity leave, and paid paternity leave