Security Governance Analyst

Security Governance Analyst Position Summary This role will report to the Director Security Governance Awareness within Global Information Cyber Security as a member of the security governance team to help with governance of the Information Security program and security risks Together with the Director Security Governance Awareness this role will reduce risk by continuously reviewing refining and recommending improvements to the Information Security operating model policies standards and processes and provide reporting and recommendations to the CTO CISO and senior leadership Job Responsibilities Develop maintain evaluate and implement policies and procedures aligned with both business requirements and legislative changes i e ISO 27001 27002 COBIT 5 NIST CSF NIS2 GDPR Collaborate with subject matter experts to write policies and standards in line with the ADM Control Framework based on NIST CSF ISO 27001 27002 SCF Secure Controls Framework Lead control assessment activities addressing security and regulatory requirements engaging appropriate business units and personnel to plan and execute the ADM Control Governance program documenting gaps vulnerabilities and driving risk identification and intake Manage and maintain GICS SharePoint sites for security awareness policies standards training newsletters and reporting of threats Implement security policies and standards aligned with enterprise objectives Collaborate with subject matter experts to align security and compliance requirements with emerging business needs Participate in the development and implementation of security awareness program training materials and events Develop and deliver content to educate the business about the ADM Control Framework and other organizational programs Manage Global Information Cyber Security SharePoint Site Yammer and Social Chorus including all security awareness newsletters videos promotions team updates policies and standards Develop and communicate guidelines for enterprise security practices Assist with control design and implementation for the ADM Control Framework including tracking and reporting progress security control gaps and metrics Proactively identify and collect appropriate and meaningful metrics to be reported in order for the business leaders to make appropriate risk-based decisions Monitor compliance with security policies and standards across the organization utilizing reporting and metrics driving process improvement Compile review and analyze security information to provide recommendations metrics and reports for management review and decision making Facilitation and management of security policies policy exceptions standards procedures and guidelines Document and track requests for variance from standards Monitor risk mitigation processes and progress until variances are closed Actively stay aware of processes and methods for identifying and addressing non-compliance to information security standards and communicate the findings clearly to business areas Collaborate with key business units and capability stakeholders including but not limited to Privacy IT Internal Audit InfoSec Corporate Security and HR to develop and improve Information Governance across the enterprise Establish security metric baselines and generate reports reflecting current performance against those baselines using Power BI Document narrative summary and analysis of the metrics Review track and update company standards for compliance to legal and regulatory requirements Work with subject matter experts to maintain documentation modifies or creates new security standards as needed Monitor compliance with security policies and standards across the organization utilizing reporting and metrics Drive compliance improvement to processes Document and track requests for variance from standards Monitor risk mitigation processes and progress with the clients until variances are closed Perform functions in a timely manner and with extreme level of attention to detail urgency and thoroughness Job Requirements BA BS degree or higher or equivalent experience Minimum of 4-8 years of experience in security and IT OT related fields Experience managing SharePoint sites web development posting updates and configuring sites and forms Basic knowledge and understanding of how information security affects an organization and ability to link it to business processes Experience with Security Awareness program management and implementation Basic knowledge and understanding of risk assessment and control methods Basic knowledge and understanding of end-user computing tools hardware application software network communications and mobile technologies Basic knowledge and understanding of information security policies standards and processes Basic knowledge of electronic record retention policies and standards 5 years of regulatory requirements and frameworks such as ISO 27001 27002 PCI CIS CSC SOX HIPPA COBIT GDPR or NIST Cyber Security Framework CSF SANS 401 can be obtained after employment 5 years of experience in a GRC discipline One year of work in a Governance Risk Compliance GRC function in a highly regulated environment may substitute for up to 18 months experience Proven success implementing security policies standards and or controls Ability to translate strategy into actionable plans impact organizational change Familiarity with complex multi-national companies and distributed business models Ability to work across the organization building relationships and influencing peers and management through establishing trust and credibility Applies sound judgment and creativity to solve complex problems Ability to excel in a rapidly changing environment Experience in one or more of the following areas preferred network administration systems administration SDLC secure soft encryption asset management identity and access management Audit Governance Risk Compliance IT Operations Security Risk Management Strong verbal and written communication skills ability to drive discussions and influence decision making strong presentation and reporting skills Proficient in technical writing and leveraging various creative mechanisms to communicate to diverse audiences Ability to communicate with and create documentation for technical and non-technical audiences Strong leadership and communications skills Limited travel required Desired Skills Practical experience implementing NIST ISO or other industry standards Certifications such as CISM CISSP CISA or CRISC