- Contribute to the ongoing development the Information Security GRC activities, strategy, and roadmap.
- Assist with operating IT Risk Assessment, Vendor Management, and Risk Management programs.
- Evaluate effectiveness and perform internal testing of security controls.
- Support internal and external audits.
- Collect and maintain evidence of compliance with information security policies and regulatory requirements.
- Coordinate written responses from customers and prospects on Information Security controls and regulatory compliance.
- Review and update information security policies, procedures, standards, and other InfoSec documentation.
- Assist in maintaining Information Security documentation repository.
- Support vendor due diligence, security assessments and review processes.
- 1-3 years of full-time work experience in IT audit or IT risk management. Experience in leading security assessments, IT vendor risk assessments, and InfoSec control management.
- Basic understanding of technical aspects of information security.
- Working knowledge of common IT technologies and processes.
- Understanding of common Information Security and Information Technology frameworks and standards, such as ITIL, COBIT, NIST, SOC-2 Type II and ISO27000 series.
- Thorough understanding of risk management principles and methodologies.
- Ability to transform abstract regulatory requirements into cohesive compliance actions.
- Good communication skills including ability to present technical subjects to non-technical audiences.
- Strong work ethic, attention to detail, and organizational skills.
- Ability to multi-task and manage priorities in a fast-paced environment.
- Ability to collaborate in a team setting and moderate conversations involving cross-functional groups.
- Conceptual understanding of software development methodologies.
- Proficient with the Microsoft office suite; presentation development skills.
- Working knowledge of PII, PHI, financial data regulations, data residency requirements, and international regulatory aspects pertaining to sensitive information.
- General knowledge of tools services commonly employed within InfoSec is a plus.
- Experience with application security, SaaS, or cloud security is a plus.
- CISSP, CISA, or a similar risk management, audit, or security certification.