This is a Permanent Full Time position.

This position is for an Information Security Analyst within the Information Security team that participates in all aspects of information security Governance, Risk and Compliance (GRC).

The Security Analyst is responsible for

• Managing client and vendor risk assessments and ensuring compliance with client contractual and regulatory/legal security requirements.
• Validating level of compliance and evaluate information security risks across the entire company.
• Ability to make decisions and influence decisions in the areas of risk management and compliance are key to the role.
• Ensure that policy and compliance documentation, requirements and controls are properly and timely identified, mapped, tracked, reviewed, and reported for the organization to increase security posture.
• Aid compliance efforts related to various regulatory, legal, and security frameworks including SOC1, SOC2, DFS-500 and privacy laws like GDPR.
• Make sure that documentation, data, assessment information, and GRC program information are kept up to date.
• Work closely with other members of the Security Team and IT Infrastructure Teams to manage and support security administration tasks and security projects.

Responsibilities:

• Experience leading risk assessments, audits, policy, governance, and/or reporting, preferably in a financial institution
• Improve and maintain company policies and procedures documents. Research and develop policies, procedures and processes as the threat landscape and the organization change
• Assist with mapping controls to policies, procedures, and processes and testing of those controls to ensure adequate coverage
• Be the first responder to audit, regulatory exams and customer request for comments on the Information Security Program
• Work with control owners in the remediation and tracking of deficiencies.
• Continue to build out and maintain current GRC tools (Archer) and processes within information security to provide visibility and transparency related to risks, controls, assessments, and incidents
• Develop strong relationships with external auditors and key stakeholders to ensure risk management oversight is understood, managed appropriately and current with all standards, guidelines, and regulations that are applicable
• Assist with increasing the maturity of the Information Security Risk Management program, strategy and process.
• Provide security consulting services in identifying, assessing, managing, and tracking remediation of risks related to IT infrastructure, applications, platforms and suppliers and drive explicit requirements and timelines in all environments
• Provide update to head office on progress of remediation efforts

• 5+ years managing information security governance, risk, and compliance
• College Degree or equivalent work experience
• Excellent written and verbal communication and presentation skills;
• Interpersonal and collaborative skills; and the ability to communicate information risk-related concepts to technical as well as nontechnical audiences
• Demonstrated knowledge of industry authoritative sources such as NIST, SOC2 and ISO, standards, FFIEC framework and NYDFS-500 regulation
• Skilled at planning, tracking plans, working cross department to review risks, controls and processes, and gathering and organizing documentation and test results
• Working with GRC applications and toolsets, preferable RSA Archer
• Bachelor’s degree in information technology or security discipline (e.g. cybersecurity) or related worked experience
• Industry recognized security certifications strongly recommended (e.g. CISSP, CISA, CISM, CEH, etc.)
• Good command of spoken and written English. Chinese speaking is preferred
• Self-directed, works with minimal guidance, and recognizes when guidance needed
• Ability to cope with pressure and responsibly

This job description is not limited to the responsibilities listed and the incumbent may be requested to perform other relevant duties as required by business needs.