The IT Governance, Risk & Compliance (IT GRC) Senior Analyst shall be responsible for the development, execution, and delivery of activities supporting the associated IT GRC and information security programs. These programs directly facilitate the establishment, growth and maturity of IT governance, risk management, and compliance practices at AutoNation.
The IT GRC Senior Analyst should be able to demonstrate a good proficiency in risk management concepts (related to information security), and must be familiar with the NIST Cybersecurity Framework, and related 800-series of standards and guidelines. The candidate shall also support the design, implementation of the RSAM GRC system, and must demonstrate experience with either this toolset, or RSA Archer GRC.
The position reports to the IT GRC Senior Manager in the Information Security department, and works closely with teams in Information Security, Technology (IT) support and operations, Internal/External Audit, and business/system/information owners to deliver on listed responsibilities, and provide guidance on information protection, and controls compliance.
Lead the development and maintenance of information security policies, standards, and control procedures to enable compliance with applicable regulations and industry standards, including Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes Oxley (SOX).
Lead data governance activities, including, but not limited to: vendor risk management execution, and maturation; compliance efforts for conforming with privacy legislation.
Lead the development, implementation, and execution of a Risk Assessment program, based on NIST SP 800-30.
Support the implementation, expansion and/or maturation of various modules within the RSAM GRC toolset. This may include project and/or service provider management activities.
Provide consultative advice and serve as a subject matter expert in areas of technology and business process security controls to internal customers that enables the teams to make informed risk decisions and to assist with the development of acceptable risk mitigation strategies, documented processes, and adoption of good practices.
Identify opportunities and lead efforts to drive organizational information security risk posture and process improvement. Maintain strong working relationships with individuals and groups involved in managing information security risks across the organization.
Work closely with regulators and auditors as a point of contact for information requests and issue management/escalation.
Organize and/or lead IT Governance meetings, prepare meeting agendas and minutes.
Support IT GRC team members as necessary with other IT GRC program areas, including but not limited to vendor risk management, information security training and awareness, and SOX internal control reviews.
Perform other duties as assigned by management.
Bachelor s degree in related field. Masters preferred.
Five (5) years experience in information security, IT audit, IT compliance, or closely-related field. Big Four experience preferred.
Industry certifications preferred: CISA, CISM, CRISC, CISSP, or similar information security/IT audit discipline preferred.
RSAM or Archer Certified Administrator preferred.
Excellent interpersonal, written, and oral communication skills requi
Experience with leading teams and/or staff management preferred.
Possess a general understanding of underlying IT infrastructure, architecture, and concepts.
Excellent time management and related organizational skills,including appropriate sense of urgency,a proactive approach, and a suitable ability to anticipate and manage project lifecycle events,issues, and challenges.
Strong analytical and problem-solving skills. Advanced use of Microsoft Excel and/or Tableau preferred.
Ability to work both independently and as part of a team to deliver quality work product in a timely fashion in a fast-paced environment.
Demonstrate understanding of PCI DSS,SOX, NIST Cybersecurity Framework, NIST SP 800-53 r4,
COBIT, and ITIL frameworks.
Next Possible Position:
IT GRC Manager
Extended working hours may be required as dictated by management and business needs.
Ability to travel (10%) to multiple facilities as business needs dictate.
May be required to sit and review information on a computer screen for long periods of time.
May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.