At American Family Insurance, we’re driven by our customers and employees. That’s why we provide more than just a job – we provide opportunity. Whether you’re already part of our team in search of a new challenge or new to our company and ready for what’s next, you’re in the right place. Every dream is a journey that starts with a single step. Start your journey right here. Join our team. Bring your dreams.
Quick Stats:Job ID:
R9449 IT Compliance Analyst (Information Security Compliance & Governance) (Open)
This position will be responsible for coordinating the IT compliance program for financial reporting. This includes establishing, documenting, validating, and managing the IT General Controls (ITGCs) for financially significant applications.
Preferred candidates are familiar with CySA+, Model Audit Rule (MAR), Sarbanes-Oxley (SOX 404), and NIST Cybersecurity Framework (NIST CSF).
The Information Security Compliance and Governance Analyst works with management and team members on our Information Security compliance model and programs, and monitors and reports on the company’s information security compliance posture to aid in the defense against external threats and protect customer and enterprise data. Collaborates with Internal Audit, Financial Controls Reporting, compliance teams, Sourcing, and other departments to communicate and monitor our security compliance model and programs. Collaborates with other members of the Security Compliance & Governance Unit and the Security Department, and has knowledge in most primary accountabilities to aid with security risk assessments. Ensures adequate and effective security controls are documented and followed in support of compliance and data security requirements. The analyst collaborates with other members of the Security Department to manage control oversight, testing, gap analysis, measurement, and remediation tracking, and helps facilitate internal and external audits and audit report preparation for review by Security Management.
Specialized Knowledge and Skills Requirements
Demonstrated experience providing customer-driven solutions, support or service
Demonstrated experience communicating security concepts based on audience experience
Basic knowledge and understanding of how information security affects an organization and ability to link it to business processes.
Basic knowledge and understanding of audit standards, practices and control frameworks.
Basic knowledge and understanding of risk assessment and control methods.
Basic knowledge and understanding of end-user computing tools, hardware, application software, network, communications and mobile technologies.
Basic knowledge and understanding of information security policies, standards and processes.
Basic knowledge of electronic record retention policies and standards.
Basic knowledge and understanding of concepts and philosophies regarding the design and deployment of information technologies and associated architectural concepts, principles, and tools.
Additional Job Information:
Offer to selected candidate will be made contingent on the results of applicable background checks.
Offer to selected candidate is contingent on signing a non-disclosure agreement for proprietary information, trade secrets, and inventions.
Our policy restricts consideration of applicants needing employment sponsorship (visas) to specialty occupations. Sponsorship will not be considered for this position.
Relocation assistance is available.
Depending on qualifications, candidates can be considered at all levels.
Information Security Policies and Standards
Assists in developing and communicating security policies, standards, guidelines, and procedures. Helps ensure documentation is complete, up-to-date, and applicable to our environment.
Stays current with legal and regulatory requirements affecting information security and privacy.
Stays abreast of information security trends, methods, solutions, standards, and potential threats.
Reviews changes to standards set by organizations such as NIST and ISO for relevance to our environment, and provides summary for peers and management for improvements to internally defined standards.
Assists in the development of the strategies roadmap to address identified information security risks.
Information Security Communications
Promotes the values and benefits of complying with security policies and standards.
Coordinates and conducts Information Security awareness events.
Assists in facilitating stakeholder discussions, coordinating the meetings, and leading discussions to appropriate resolution.
Assists in creating meaningful security content for web, email and other communication methods for the enterprise.
Collaborates with other Security Department units to build Security Awareness program appropriate to changing threats and trends.
Information Security Metrics
Helps to establish security metric baselines and generates reports reflecting current performance against those baselines.
Assists in measuring and tracking performance against established goals and expectations.
Assists narrative summary and analysis of the metrics; what do the numbers mean, what changes in the technology or security environment may have impacted the numbers, and what can be changed to correct any deficiencies.
Proactively researches new threats or trends to determine risk to our environment.
Information Security Compliance
Reviews security policies and standards for compliance to legal and regulatory requirements. Works with subject matter experts to maintain documentation; modifies or creates new security documentation as needed.
Assists in monitoring compliance with security policies and standards across the organization.
Assists in documenting and tracking requests for exception to standards. Monitors and communicates risk mitigation processes and progress toward remediation.
Is aware of processes and methods for addressing and/or acknowledging non-compliance to information security standards and communicates clearly to business areas.
Assists in reviewing contracts for new products or services impacting the technology environment to ensure alignment to company security standards.
Assists in developing and communicating guidelines for enterprise security practices
Internal and External Audit
Assists in the development and management of the overall IT and information security internal controls strategy with others within IT. Partners with the corporate Financial Controls Reporting unit and Internal Audit to ensure alignment with the corporate internal controls strategy and plan.
Follows workflow to facilitate the effective and efficient monitoring, managing and reporting of internal controls operations.
Assists in developing risk control matrix and control test plans for testing direct and complementary internal controls in accordance with legal, regulatory and contractual requirements.
Assists in control testing and documents results. Works with process owners to develop mitigation actions and follows up to ensure remediation steps are taken to completion.
Identifies opportunities to continuously improve control effectiveness and efficiency and reduce the cost of controls.
Assists in management response to internal and external audit and compliance requests.
Executes the electronic discovery process in accordance with internally defined processes, including the identification, collection, preservation and release of evidence to support or refute the facts and allegations of investigations and litigation. Consults with internal and external counsel in addition to other impacted areas within the corporation.
Communicates with all levels of management as appropriate on status and resolution of electronic discovery requests.
Maintains awareness of electronic records retention trends, methods, solutions and standards.
Maintains awareness emerging legislation regarding record retention and privacy.
Stay connected: Join our Talent Community!