Position: Data Privacy & Regulatory Compliance Analyst
Location: Remote - open to all time zones
Term: 9 Months w/possible conversion
The Data Privacy & Regulatory Compliance Analyst will support the control assessment function (QA Foundational Practices function) on the Data Privacy team. They will be responsible for validating accuracy, security and integrity around Data controls. This role is a new addition to an evolving/growing program and perform various assessment types against various types of regulation.
**** NY DFS ASSESSMENT AND FAMILIARITY A HUGE PLUS ****
In collaboration with all business areas and affiliates, the person in this role will assist in measuring the maturity of appropriate protocols, applications and data share for handling highly confidential and personal data. They will provide management with observations and their recommendations about opportunities to further strengthen controls or bring forth new controls. They will provide transparency into what the assessments are revealing and be able to summarize an executive level conclusion (and support that conclusion with examples/context).
- Perform walkthroughs related to the use of applications used by the organization and any process disciplines to understand how data is being used, managed, stored, and when applicable, shared.
- Conducts Privacy Impact Assessments of identified applications and/or business processes identified as in-scope for Data Privacy Regulatory requirements, reconciled against the company’s Information Security Standards and identify when other Regulations are in scope fir future data reuse opportunities.
- Participates in developing and implementing action plans to maintain compliant with internal and external regulatory bodies. Collect evidence in a way that would support external, internal and self auditing bodies.
- Provide guidance during development of internal systems/applications/infrastructure changes supporting the business to ensure appropriate compensating controls are in-place for ongoing compliance needs.
- Assists in the monitoring and investigations of operational issues that require an impact analysis concentrating on compliance matters or items resulting from Data Privacy Impact Assessments.
- Utilizes Data Privacy GRC Tool (TrustArc) and other Regulatory support tools (Nymity) to assess Data Privacy and Regulatory Compliance related matters and determine if the shift in environment will impact the DP and compliance activities owned by GIS.
- Technical acumen to manage and enhance enterprise Data Privacy tools and solutions.
- Assists in the development and provide privacy training guidance to business clients to help keep the messaging of "data privacy importance" in the forefront.
- Support the identification of process improvements focusing on continuous improvement to move from manual to automated processes pertaining to security/data privacy controls.
- Provide appropriate reports and updates to GIS manager on data privacy matters and assist with the creation/ further development of appropriate tracking metrics.
- Knowledge of Vendor Risk Assessments and how third-party risk can be mitigated is important as several applications will be provided and or co-managed with a vendor. Understanding what a firm's Vendor risk team would be assessing up front is useful but not critical must have.
- Knowledge in the areas of data and application/system risk analysis and data privacy regulations, hands on experience with various types of information and application security assessments, knowledge of IT security standards and best practices, and strong familiarity with the active and pending state privacy and security regulations.
- Must demonstrate proficiency in the areas of regulations such as: HIPAA, NYDFS, GLBA, State Data Privacy Acts, and PCI-DSS.
- Knowledge of common IS security regulations and standards, such as ISO/IEC 27001 and 27002, FISMA, the NIST Cybersecurity Framework and NIST Special Security Publications and AICPA SOC2 required. (Important: Having this WITHOUT adequate Data Privacy familiarity is not a fit for this role)
- 3+ years of experience conducting security control assessments, vendor risk assessments and or IT/operational control audits. (Be specific on resumes please.)
- Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Internal Auditor (CIA), and other applicable certifications preferred, but not required.
- Strong analytical and problem-solving skills, strategic, innovative and creative thinking with ability to assist in developing best practices.
- Project Management experience strongly preferred. This person will need to be organized, understand how to manage time and priorities to meet deadlines.
- Strong verbal and written communication skills with the ability to communicate regulatory concepts to a broad range of technical and non-technical staff. They are at times forward facing to key personnel at the firm and external to the firm but also formulating communications that would be discoverable in any audit.
- Networking and relationship building skills required. If they are already part of industry networks, we would love to know that too.
- Ability to work independently and collaboratively, in a team and highly visible setting.
- A high level of initiative & a Self-starter. Someone that drives to deadline, can operate under pressure and time constraints and willing to be cross-pollinated in other areas of this program.
- Familiar with using GRC platforms to capture and report on results.
- Good problem solver, must show initiative and must be comfortable in a start up program environment!