IT Risk Management and Compliance Specialist

Position Title:
IT Risk Management and Compliance Specialist

Reports To:
Sr. Manager Information Security

Division:
IT

Direct Reports:
0

Location:
US

Date Last Revised:
05/23/2024

Role Accountability
The IT Risk Management and Compliance Specialist at Lubrizol is a key resource in the development and continuous improvement of all aspects of the company's global Information Security program, including Third Party Risk Management. This role involves actively identifying and facilitating the elimination or mitigation of risks throughout the global environment, both internally and externally. The specialist will partner with technical teams to advise on applicable control requirements and potential solutions, ensuring that third-party relationships are managed effectively and securely.

In addition to Third Party Risk Management, the specialist will also be involved in internal auditing activities. They will participate in measuring and reporting compliance with IT policies and standards, conducting audits to assess the effectiveness and efficiency of risk management processes. This includes evaluating internal controls, identifying areas for improvement, and recommending and implementing enhancements to the program.

Furthermore, the specialist will be responsible for responding to external requests related to IT risk management and compliance. They will collaborate with relevant stakeholders to address inquiries, provide necessary documentation, and ensure compliance with external regulations and standards.

Overall, the IT Risk Management and Compliance Specialist plays a critical role in ensuring the global impact and importance of Lubrizol's Information Security program by managing third-party risks, conducting internal audits, and responding to external requests.

Essential Job Functions

• Execute on the 3rd Party Risk Management program, managing and mitigating risks associated with third-party relationships.
• Execute the IT Risk Management processes to identify, assess, evaluate, and treat risks, ensuring the global impact and importance of Lubrizol's Information Security program.
• Recommend and implement Risk Management Program process improvements to enhance the effectiveness and efficiency of risk management practices.
• Facilitate and conduct technology and operational risk and compliance assessments to identify potential risks and ensure compliance with internal policies and external regulations.
• Respond to and support risk assessments or audits from external and internal customers, providing necessary documentation and addressing inquiries to ensure compliance and risk mitigation.
• Partner with technical teams, advising on applicable control requirements and proposing potential solutions to address identified risks, fostering a secure and compliant environment.
• Conduct compliance assessments of controls for in-scope systems, including remediation assessments and audit-readiness assessments, to ensure adherence to IT policies and standards.
• Identify control deficiencies and maintain records of deficiency details, including management response documentation and evidence of exposure checks, to track and address areas for improvement.
• Maintain and improve the Information Security Policy Set, ensuring that policies are up to date, aligned with industry best practices, and effectively communicated to employees.
• Provide insight and recommendations to leadership as part of a global information security team, contributing to strategic decision-making and continuous improvement efforts.
• Perform other information security activities as needed to support the overall objectives of the Information Security program at Lubrizol.

Critical Competencies

• Demonstrated effectiveness at working independently, establishing priorities, and managing task completion aligned with the needs of the organization, while actively collaborating with global stakeholders to ensure a unified approach to IT Risk Management and Compliance.
• Ability to effectively build relationships and work in a collaborative, matrix-driven, global environment, fostering strong partnerships with technical teams and stakeholders across different regions and time zones to achieve a consistent and globally impactful Information Security program.
• Sound decision-making, proactive/creative problem-solving, and strategic thinking skills, enabling the identification and mitigation of risks on a global scale, considering the diverse needs and regulatory requirements of different regions.
• Strong IT process discipline and critical thinking skills, ensuring consistent adherence to established processes and methodologies across global operations, while continuously seeking opportunities for improvement and standardization.
• Strong interpersonal skills, facilitating effective communication and collaboration with local users, global colleagues, and leadership, promoting a culture of information security awareness and compliance across the organization's global footprint.
• Must be able to drive clear accountability and expectations, ensuring that all stakeholders understand their roles and responsibilities in managing IT risks and complying with policies and standards, regardless of their geographical location.
• Strong written and verbal communication skills required to communicate complex concepts and technical information effectively, both internally and externally, across different cultures and languages, to support risk assessments, audits, and compliance reporting on a global scale.
• Ability to develop assessment plans for new technologies and processes without previous guidance or templates, demonstrating adaptability and resourcefulness in evaluating and addressing emerging risks in a global context.
• Able to learn and understand new legal or regulatory standards and apply a practical approach to implementing those standards across different regions, considering the global impact and ensuring consistent compliance throughout the organization.

Required Qualifications
Education / Certifications:
For the IT Risk Management and Compliance Specialist role, the following education and certification requirements are preferred:

• Bachelor's degree in Information Technology (IT), Information Security or a related field, providing a strong foundation in IT and Information Security principles and practices.
• Preferred certifications include CRISC (Certified in Risk and Information Systems Control), CISM (Certified Information Security Manager), or CISA (Certified Information Systems Auditor). These certifications demonstrate expertise in IT risk management, information security, and auditing, which are highly relevant to the responsibilities of the role.

Experience
For the IT Risk Management and Compliance Specialist role, the following experiences are needed:

• Minimum of 1 years of relevant industry and professional experience in areas such as risk management, audit, third-party risk, operational risk, information security, or related fields. This experience provides a solid foundation in understanding and managing risks within an organizational context.
• Knowledge of third-party risk management, including the ability to assess and manage risks associated with external vendors and partners. Experience with IT risk assessments and operational processes is also valuable, as well as familiarity with techniques for implementing regulatory requirements.
• Understanding of security domains, including identity and access management, authentication, encryption, application security, network security, vulnerability and patch management, information security metrics, policies, standards, and procedures. This knowledge enables the specialist to effectively assess and address risks across various security areas.
• Knowledge of ISO and NIST security standards, which are widely recognized frameworks for information security management. Familiarity with these standards demonstrates an understanding of best practices and compliance requirements in the field.
• Knowledge of CIS (Center for Internet Security) benchmarks and controls is preferred. Familiarity with these controls demonstrates an understanding of industry-recognized security practices and their application in risk management and compliance efforts.
• Experience working for a US headquartered global organization.

Skills & Systems
For the IT Risk Management and Compliance Specialist role, the following skills and system requirements are needed:

• Proficiency in Microsoft Windows-based operating systems and collaboration tools, enabling effective communication and collaboration within the organization.
• Demonstrated understanding of risk management processes, including the ability to identify, assess, evaluate, and treat risks in a systematic and structured manner.
• Knowledge of basic IT security principles, networking concepts, active directory, and SAP ECC/S4 concepts. This knowledge allows the specialist to assess risks and implement appropriate controls in these areas.
• Familiarity with risk management frameworks, such as ISO 31000 or COSO ERM, providing a structured approach to managing risks and ensuring compliance with industry standards.
• Experience in documenting issues and solutions to assist end users and co-workers in understanding and resolving similar problems, promoting knowledge sharing and collaboration within the organization.
• Strong analytical and problem-solving skills, enabling the ability to analyze complex information, identify patterns, and make informed decisions to mitigate risks.
• Knowledge of regulatory compliance requirements, such as GDPR, HIPAA, or SOX, depending on the industry and region of operation.
• Familiarity with data privacy and protection principles, including data classification, data retention, and data breach response.
• Understanding of incident response and business continuity planning, including the ability to develop and test incident response plans.
• Knowledge of cloud computing security principles and best practices, including familiarity with cloud service provider security frameworks (e.g., AWS, Azure, Google Cloud).
• Strong project management skills, including the ability to manage multiple projects simultaneously, prioritize tasks, and meet deadlines.
• Excellent communication and presentation skills, with the ability to effectively communicate complex technical concepts to both technical and non-technical stakeholders.
• Continuous learning mindset, staying updated with the latest trends, technologies, and regulatory changes in the field of IT risk management and compliance.

These skills and system requirements collectively contribute to the capabilities of an IT Risk Management and Compliance specialist in effectively managing risks and ensuring compliance within an organization.

Work Environment
Role Scope

• Primary: IT Risk Management and Compliance Specialist

Travel
Very Limited;

Work Hours

• M-F 2nd shift

Physical Demands

• General office-type activity