Security Analyst III -Department ISO & GRC -Job #21553
12 Months + Hours 8am to 5pm
• Seeking local candidates to the Torrance, CA area 90501
• Consultant will be virtual/offsite but due to nature of role will be required to come into the office based on project need
Establish, Maintain and Enforce North America Regional and Local / Company-specific Information Security (Cybersecurity), Data Privacy, and GRC Controls, Policies, Procedures and Standards.
Continuously monitor the status and effectiveness of all Information Security (Cybersecurity), Data Privacy, and GRC Controls
Develop Information Security (Cybersecurity) and Data Privacy processes and procedures and supports service-level agreements (SLAs) to ensure that effective controls and countermeasures are managed and maintained Ensure key risk indicators documented and are effectively monitored to prevent a negative impact on business objectives and brand reputation.
Ensure Remediation Plans and/or Compensating Controls are established to address risks or gaps identified by AHM IT GRC Staff or reported by internal and external auditors.
Establish continuous monitoring of all risks and gaps until they have been resolved. Compensating Controls must be re-evaluated at least annually to ensure they are still effective at addressing a risk or gap.
Maintain the Information Security & Risk Division’s Information Security (Cybersecurity), Data Privacy and GRC Policies, Procedures and Standards Documentation, including the associated repositories and portals.
Work with Client Business Units, Law Division, Internal and External Auditors to identify Information Security (Cybersecurity), Data Privacy risks, control requirements and standards using methods that may include risk and business impact assessments. Components of this activity include but are not limited to:
• Business System Analysis
• Communication, facilitation and consensus building
• Conducting Privacy Impact Assessments (PIA)
• Preparing post-PIA reports and presentations to advise IT and business unit management regarding residual risks, vulnerabilities and other Information Security and Data Privacy exposures, including misuse of information assets and noncompliance.
Facilitate and provide support for all internal and external audits or assessments, including state and federal regulatory agencies. Components of this activity include but are not limited to:
• Coordinate with Internal or External Auditors to comply with their audit requirements, including compiling and organizing audit requirements such as documentation, formal attestations by business unit or IT representatives, providing
• Assists in the coordination and completion of information security operations documentation.
Provide Information Security (Cybersecurity) and Data Privacy thought leadership and guidance to AHM IT Infrastructure and Application Development Units. Components of this activity include but are not limited to:
Support Information Security & Risk Division leadership in the development and implementation of strategies and campaigns to address risks or gaps and to reinforce Information Security (Cybersecurity) and Data Privacy practices, techniques and controls across Client
Research, evaluate and recommend Information Security (Cybersecurity) and Data Privacy technologies, then developing business cases that effectively capture the both quantative and qualitative characteristics of a technology project or proposal.
Work with AHM IT Department to identify, select and implement appropriate technical controls for Information Security (Cybersecurity) and Data Privacy
Play an advisory role in application development or acquisition projects to assess Information Security (Cybersecurity) and Data Privacy requirements and controls and to ensure that security controls are implemented as planned.
Collaborate on critical IT projects to ensure that information security and data privacy risks and concerns are addressed throughout the project life cycle.
Partner with AHM IT personnel and become a trusted resource and authority on information security and data privacy technologies, practices and techniques.
Required Skills - MUSTS
Bachelor's degree in information systems or equivalent work experience.
Industry-accepted Certification n for Information Security or Data Privacy
Experience with common information security management frameworks, such as [International Organization for Standardization (ISO) 2700x and the ITIL, COBIT and National Institute of Standards and Technology (NIST)] frameworks.
Knowledge of the fundamentals of project management, and experience with creating and managing project plans, including budgeting and resource allocation.
Audit, compliance or governance experience is required
Experience implementing Generally Accepted Privacy Principles (GAPP) or COBIT
Experience in developing, documenting and maintaining security policies, processes, procedures and standards.
Experience developing and/or implementing a governance model for privacy and confidentiality.
Experience with consumer credit, consumer and/or retail services marketing, and supplier management is beneficial.
Experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.
Experience overseeing information security and/or data privacy projects from concept through implementation.
Strong understanding of business applications, including ERP and financial systems.
Excellent technical knowledge of mainstream operating systems [for example, Microsoft Windows and UNIX] and a wide range of security technologies, such as network security appliances, identity and access management (IAM) systems, anti-malware solutions, automated policy compliance tools, and desktop security tools.
Knowledge of network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.
Must be self-motivated with strong analytical, organizational, planning and problem solving skills.
Strong technical and business writing skills, as well as strong communication skills.
Ability to communicate well with technical teams, executives, auditors and business owners and other stakeholders as required
10+ yrs. experience with information security, privacy, or related field preferably in the captive finance or banking industries
Strong proficiency in performing enterprise risk, business impact, control, vulnerability, and privacy impact assessments. In-depth knowledge of risk assessment methods and technologies. In-depth knowledge and understanding of information risk concepts and principles, as a means of relating business needs to security controls.
The Business Analyst will assist with the following key tasks:
Support Third-Party vendor risk assessment processes; utilizing strategic partnerships with multiple internal stakeholder groups (procurement, legal, and business side operations).
Ensure North America Client companies are following all required Global & Regional policies/standards via assessments and audits of existing processes.
Partner with other internal non-IT, and external groups to stay aware the changing landscape e.g., new legislation and changes to existing legislation.
Partner with all North America Client companies to provide support and provide guidance on remediation/countermeasure plans regarding area requiring strengthening in security & privacy.
Monitor and report on remediation/countermeasure status monthly; working with the remediation owners.
Support GRC project activities as required to achieve unit level objectives; these may include but are not limited to: monitoring project progress, tracking non-compliant activities, resolving problems, publishing progress reports, remediation consultation, and driving remediation activities to completion.
Improve technical and business process by studying current practices, identifying problems and recommending solutions.
Support project managers as requested in performing daily, weekly, monthly, reviews and project updates.
Maintain and expand current documentation for policy & privacy compliance program activities as required in support of the daily operations.
Perform other assigned tasks as need for the GRC Unit as requested by leaders.
Previous working experience with GRC and in Information Technology with defining, analyzing, and documenting process, procedures related to disciplines within IT
Understanding of regulated environment or related IT audit background
and Information security related projects.
Demonstrate extensive knowledge of Third-Party Vendor Risk Management
• SOC2 Type 2 report analysis
• Data Security Safeguard Agreements (DSSA)
• Contractual review processes
• Penetration test results analysis
• HITRUST and ISO Certification analysis
Demonstrate knowledge of Risk Management Processes
• Risk triage process
• Risk exception process
Demonstrate broad competency and understanding in a variety of areas:
• Governance, Risk, & Compliance general practices and operational activities
• Policy development
• Standards development
• Risk Management
• EU GDPR
• NY Privacy Shield
• Traditional security (App, OS, DB, and Network)
• Mobile application security
• Cloud security (IaaS, PaaS)
Unique Skills Required (REQ)/Desired
Understanding of Third-Party Vendor Risk Management processes & practices (REQ)
General IT auditing process & practices (REQ)
Understanding of control framework NIST-800-53, ISO270001, & privacy legislation (REQ)
Min. of 5 years of direct exp. as Data Privacy Governance, Risk and Compliance (GRC) Analyst (REQ)
Automotive Captive Finance/Banking (PREFERRED)
By partnering with Kelly® Technology, you’ll have direct connections to top companies around the globe—giving you the chance to put your tech skills to work on some of today’s most intriguing, innovative, and high-visibility projects. In a world where change is the only constant, our unparalleled connections and IT market expertise help you take your skills exactly where you want to go. We’re here to help you gain experience, keep learning, and move your career forward.
At Kelly, we’re always thinking about what’s next and advising job seekers on new ways of working to reach their full potential. In fact, we’re a leading advocate for temporary/nontraditional workstyles, because we believe they allow flexibility and tremendous growth opportunities that enable a better way to work and live. Connecting great people with great companies is what we do best, and our employment opportunities span a wide variety of workstyles, skill levels, and industries around the world.
Kelly is an equal opportunity employer committed to employing a diverse workforce, including, but not limited to, minorities, females, individuals with disabilities, protected veterans, sexual orientation, gender identity. Equal Employment Opportunity is The Law.