IT Risk & Compliance (ITRC) Analyst

Job Description:

This role supports the ITRC goal to ensure risk inherent to technology systems and data is managed to a level within the Bank’s risk appetite The ITRC Analyst is responsible for monitoring, reporting, and executing risk management activities in areas such as technology deployments, vulnerability exposure assessments, third party access to non-public data, and information security used to protect against current or emerging threats to the Bank Additionally, this role partners with key stakeholders to ensure compliance with the IS and IT frameworks Primary Responsibilities: ·Conduct readiness assessments, including reviews of relevant documentation in advance of audits, 2LOD assessments, and external assessments. · Maintain the inventory of SOX IT General Controls (ITGC) and control tests in ServiceNow, updating as directed, and identifying opportunities for improvements in reporting and in using automation. · Liaison between control owner and internal auditors, and 2LOD assessors during audits and assessments, responsible for supporting control owners in the timely submission of artifacts · Ability to map key Information Security and Technology controls identified in policies, standards, and process documents to industry frameworks such as NIST CSF, NIST 800-53, CSA CCM, CIS v8.1, and regulatory requirements in FHFA Advisory Bulletins. · Ability to identify and document technology processes. · Manage the LogicGate Governance Library ensuring Information Security and Technology documents align with approval and publication requirements, relying equally on automated reminders as well as active engagement with document owners. · Maintain ITRC document archives in the ITRC shared repository. · Responsible for reporting status at a recurring cadence of open findings, observations, recommendations, and self-identified issues, and for submitting formal audit observation closure documentation. · As directed by the ITRC MD, document and report the progress and value of in-flight ITRC initiatives, identified risks, and planned initiatives. · Provide compliance review of requests for deviations from Information Security and Technology policies and standards, confirming compliance with Technology Exception requirements for components such as compensating controls, risk assessment, and documentation supporting exception request rationale. · Participate as a key stakeholder in the Architecture Assessment Review process, documenting meeting decisions, tracking deliverable commitments, and ensuring next steps are completed for proposed new technologies or changes in existing technologies. · Support ITRC team members as needed in conducting third-party security risk assessments for changes to existing third parties or proposed third party technologies.

Requirement:

Skills/Knowledge: · Required Core Competencies: Customer Focus, Decision Quality, Ensures Accountability, Drives Results, Drives Engagement, Collaborates, Values Differences, Communicates Effectively with all levels of staff and management, Instills Trust · 3 - 5 years of experience in technology risk or IT audit · Knowledge and experience with technology frameworks is required, e.g., CIS v8.1, CSA CCM, CoBIT, NIST, ITIL, et al. · Knowledge of Operational Risk Management and Technology Risk Management · Demonstrated ability to promote teamwork, act as a change agent, effectively remove obstacles, maintain high level of morale and motivation, and lead by example · Familiarity with SOX ITGC · Must be proficient with Microsoft Office (Word, Excel, PowerPoint) and Microsoft SharePoint. · Must have strong communication skills and be able to effectively communicate with all functional levels of the organization · Project management, planning, problem-solving and organizational skills required, preferably using Atlassian JIRA · Strong analytical, issue identification, prioritization, resolution, and report writing skills required. · Must be proactive and must be able to meet established deadlines. · Experience with a Governance, Risk and Compliance (GRC) tool is highly desirable, preferably ServiceNow and LogicGate. · Ability to learn use of the ProcessUnity/CyberGRX third party risk management platform Criteria: · 2 to 3 years experience supporting operational and technology risk management activities for Information Security and Technology