Job Title: Information Security Governance Support Analyst
Job Responsibilities:
1. Assist with Management of Third-Party Risk:
- Conduct comprehensive risk assessments of vendors, emphasizing security measures and compliance with information security/cybersecurity frameworks.
- Evaluate vendors’ IT and information security systems to identify potential risks and vulnerabilities.
- Develop and implement vendor risk management policies and procedures.
- Collaborate with procurement and legal teams to ensure vendor contracts include necessary risk mitigation clauses.
- Monitor vendors’ performance and compliance with contractual obligations.
- Prepare reports, summaries, and metrics on third-party security assessments for stakeholders.
- Collect updated vendor assessment responses from existing vendors; review materials against previously stated responses and/or provided evidence in the context of the current risk environment.
- Analyze and interpret third-party security assessment findings and provide recommendations and remediation plans to mitigate identified risks.
- Monitor and track third-party risk issues, ensuring timely resolutions and appropriate risk mitigation actions are completed.
2. Coordinate Responses to Client Security Inquiries:
- Prepare responses based on the technical and policy environment.
- Collect and/or prepare evidence as necessary.
- Communicate progress to team members and clients.
3. Support Governance Initiatives:
- Maintain current knowledge of industry-recognized risks and security vulnerabilities, as well as current security solutions.
- Remain aware of industry standards, compliance, regulation requirements, and best practices.
- Recommend and/or support certification efforts.
- Identify, develop, and document policies and procedures.
4. Support Other Initiatives of the Information Security Team:
- Monitor software installations to ensure compliance with firm policy.
- Assist in the development and delivery of security awareness training.
- Support initiatives and special projects of other teams as required.
5. Manage and Monitor Configurations Related to Firm Policies, Client-Specific Policies, and/or Product-Specific Policies:
- Identify and recommend enforcement capabilities.
- Coordinate the establishment of necessary controls.
- Manage exceptions and exclusions.
Skills Needed to be Successful:
- Thorough understanding of governance concepts, approaches, controls, and frameworks.
- Strong technical understanding of security concepts, principles, and best practices in areas such as enterprise IT infrastructure and architecture, operating systems, servers, web applications, endpoint and network security, identity and access management, security protocols, cloud security, cryptography, secure coding, SSDLC, penetration testing, vulnerability management, patch management, SIEM, etc.
- Solid understanding of cloud vendors and the varying responsibilities between IaaS, PaaS, SaaS, etc.
- Experience with relevant governance frameworks (ISO27000, NIST CSF, etc.).
- Familiarity with relevant laws and regulation requirements (HIPAA, state privacy laws, EU privacy, GDPR, etc.).
- Experience in compliance, risk assessments, investigations, or other forensic reviews.
- Strong professional verbal and written communication skills, explaining technical information to clients, vendors, senior management, and staff (both technical and non-technical) and the ability to apply knowledge and deductive reasoning.
- Ability to work well in a team (team player) and individually (self-starter).
- Ability to multitask and switch focus among multiple different efforts quickly.
- Excellent organizational and self-management skills.
Education & Experience:
- Associate or bachelor’s degree is strongly preferred.
- Prior technical experience and prior risk, compliance, or governance is required.
- Applicable certification (CISA, Security+, CISSP, CGEIT, etc.) is strongly preferred.
- 2+ years of experience in risk management required.
- Cross-functional experience in IT or information security governance, risk management, and compliance (GRC), with a focus on third-party risk management and vendor management preferred.
- Experience executing and managing cybersecurity assessments in a heavily regulated industry.
- Knowledge of relevant regulations, standards, and frameworks related to third-party risk management, such as ISO 27001, NIST CSF, NIST SP 800-53, GDPR, and other industry-specific regulations.
Salary Information:
- Not provided in the text.
Equal Opportunity Employer:
Law firm is an Equal Opportunity Employer and does not discriminate on the bases of any status protected under federal, state, or local law. Applicants will be considered regardless of their sex, race, age, religion, color, national origin, ancestry, physical disability, mental disability, medical condition (associated with cancer, a history of cancer, or genetic characteristics), HIV/AIDS status, genetic information, marital status, sexual orientation, gender, gender identity, gender expression, military and veteran status, or other protected category under the law on the basis of race, color, religion, sex, age, sexual orientation, gender identity and/or expression, national origin, veteran status or disability in relation to our recruiting, hiring, and promoting practices.
Additional Information:
The statements contained in this position description are not necessarily all-inclusive. Additional duties and responsibilities may be assigned, and requirements may vary from time to time. Professional business references and a background screening will be required for all final applicants selected for a position.
