IT Governance, Risk and Compliance Analyst

The IT Governance Risk and Compliance Analyst will be assisting the GRC team in managing information security compliance and privacy related activities. The GRC Aanlyst will act as the subject matter expert in PCI, SOX, CCPA, and other regulatory compliance legislature. The Analyst will design and implement security technology solutions to support compliance needs.

Job Responsibilities:

• Assist in the development and maintenance of information security policies, standards, and control procedures to enable compliance with applicable regulations and industry standards, including Payment Card Industry Data Security Standard (PCI DSS), California Consumer’s Privacy Act (CCPA), and Sarbanes Oxley (SOX).
• Perform security risk assessments on new or existing IT products, services, and technologies to analyze controls, identify and evaluate mitigating control opportunities and assign residual risk using the organizational risk management methodology.
• Support the development and execution of an annual enterprise-level IT risk assessment.
• Work to evaluate, design, implement new capabilities in RSAM to support ongoing use, such as report generation, record status monitoring and tracking, user and workflow management.
• Provide consultative advice to internal customers in the areas of risk management, technology and business process security controls, to enable them to make informed risk decisions, develop acceptable risk mitigation strategies, documented processes, and achieve controls compliance.
• Identify opportunities and support efforts to drive organizational information security risk posture and process improvement.
• Maintain strong working relationships with individuals and groups involved in managing information security risks across the organization.
• Work closely with regulators and auditors as a point of contact for information requests and issue management/escalation.
• Organize and/or support IT GRC-related meetings; prepare meeting agendas.
• Support information security risk management program reporting efforts.
• Support IT GRC team members as necessary with other IT GRC program areas, including but not limited to vendor risk management, information security training and awareness, PCI DSS self-assessments, CCPA data requests, and SOX internal control reviews.
• Other tasks as assigned

Technical Expertise:

• Possesses in-depth understanding of risk management concepts, and is knowledgeable in relevant cyber-security and IT controls frameworks, such as NIST CSF, and NIST 800-53.
• BS. Degree required in Computer Science, Information Technology, or related field of study; or any equivalent combination of relevant background, skills and experience.
• 5+ year’s relevant experience in Information Security in medium to large organizations.
• One or more security certifications such as CISSP, CISA, SANS GIAC, or relevant security certification(s) required.
• Hands-on experience with two or more of the following: GRC tools such as RSAM, Archer, etc.
• Other complimentary skills include: regulatory compliance or legal background
• High degree of proficiency MS Office Suite, Outlook & Internet applications.
• Strong analytical, prioritizing, interpersonal, problem-solving, and presentation, project management (from conception to completion) and planning skills
• Strong verbal and written communication skills.
• Strong negotiation/mediation skills.
• Demonstrated collaborative skills and ability to work well within a team.
• Ability to work with and influence senior management.
• Ability to work in a fast-paced and deadline-oriented environment.
• Self-motivated with critical attention to detail, deadlines and reporting.

Next Possible Position:

Information Security Engineer

Physical Requirements:

• Extended working hours may be required as dictated by management and business needs.
• Ability to travel (25%) to multiple facilities as business needs dictate.
• May be required to lift, push, or pull materials weighing up to twenty (20) pounds.
• May be required to sit and review information on a computer screen for long periods of time.
• May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.

AutoNation is an equal opportunity employer and a drug-free workplace.

Keywords: Information security; PCI, SOX, CCPA; IT Security; security risk assessments; Fort Lauderdale; South Florida; IT Security Analyst

Company Overview