The Senior IT Governance, Risk and Compliance (GRC) Analyst is responsible for day to day activities across the entire scope of Benefitfirst’s Security Governance, Risk and Compliance programs.
The job encompasses leading and participating in the assessment of security, risks, and control effectiveness for applications, infrastructure, and technology projects. The analyst will identify, classify, and document control issues in the Benefitfirst computing environment by documenting assessment results, recommending corrective action, tracking remediation, evaluating policy and control standard exceptions, and regularly report to IT management.
Assists internal and external auditors in executing audits of Benefitfirst's computing environments. The analyst will also maintain the Information Security portion of Benefitfirst's vendor management program.
Duties & Responsibilities
- Internal Compliance - Leads IT control assessments to ensure effective IT controls are in place to meeting operational and compliance requirements.
- Leads all SOC and HIPAA audits
- Vendor Risk Management – Represents BF and handles all vendor management requests from our business partners
- Performs ongoing logical access reviews and recommends updates to access control privileges to ensure proper segregation of duties based on user access reviews.
- Respond to client or vendor questionnaires in support of the sales team and contractual obligations.
- Effectively reports and communicates testing results to IT management for corrective action, where required.
- Performs evidence collection and project management assistance of the annual PCI DSS certification program.
- Track and monitor risk exceptions to ensure control deviations are identified and mitigating controls are in place.
- Assist with drafting and maintaining information IT policies; facilitates annual policy review and approval by corporate security committee.
- Contributes to the team knowledge base by participating in appropriate training and providing industry and best practice knowledge. Provides mentoring for other team members.
- Works with the IT, internal audit, compliance and other key stakeholders to create an IT GRC strategy that complies with professional standards and addresses the IT risks inherent in Benefitfirst's operations and industry.
- Demonstrates excellent project management skills, inspires teamwork and responsibility with engagement team members, and uses current technology/tools to enhance the effectiveness of deliverables and services.
- Facilitates the performance and testing of annual disaster recovery tests and business continuity plan.
Required Skills & Qualifications
- Demonstrated knowledge of recognized IT audit-related standards and regulations.
- Demonstrated knowledge of recognized IT process and quality frameworks such as COBIT
- Exceptional verbal and written communication skills
- Experience with high priority, high activity and multi tasked environments
- PCI-DSS audit experience is a plus. Lead auditor or Primary audit respondent, or current /former PCI QSA.
- SOC 1, Type 2, SOC 2, Type 2 audit experience is a plus.
- Experience with security compliance programs, standards and regulations including NIST 800-53, NIST Cyber Security Framework, GLBA
- HITRUST experience is a big plus
- CISA, CISSP, CRSIC, CISM or CBCP certification is desired
- Experience with GRC methodologies, tools and enablers in the financial services sector (e.g. Archer, KeyLight, etc.)
- Strong project management skills
Working Conditions and Physical Requirements
- Normal office environment
- The ability to lift and transport objects such as computers, printers, etc. is required
Education and Experience
- Bachelor's degree in Information Technology. An equivalent combination of education and work experience may be taken into consideration in lieu of a degree
- 4 - 6 years of relevant Information Technology (IT) experience, with a minimum of 2 years' experience focusing on IT Risk, Governance and Compliance