Risk and Compliance Manager

Functional Statement

Reporting to the Chief Information Security Officer (CISO) the Risk & Compliance Manager is responsible for: Assessing organizational risks, ensuring the agency's alignment to information security standards, collaborating with agency stakeholders to develop a risk management framework, performing gap analysis and recommending compensating technical and/or administrative controls, leading and managing information security compliance initiatives, maintaining policies, standards, procedures, and controls documentation, conducting comprehensive risk assessments, managing third-party risk, and overseeing the agency's security awareness initiatives.

Essential Function 1

Develops and implements risk management plans and processes that are aligned to business objectives and security requirements. Collaborates with agency stakeholders and control owners to develop and implement testing and evidence gathering methodologies. Analyzes and interprets audit results and provides recommendations to system owners and senior leadership to reduce risk. Serves as risk management subject matter expert in support of agency projects. Leverages GRC tools and the service desk to track progress and distribute compliance and risk remediation task assignments. 

Essential Function 2

Conducts third-party service organization risk assessments to ensure supply chain risk is managed throughout the business relationship lifecycle. Establishes and maintains relationships with third-party vendors. Continuously monitors third-party risk by periodically gathering and analyzing vendor documentation such as SOC2 Type II, ISO 27001, technical diagrams, penetration test results, continuity plans, etc. Reports on the benefits and risk for the agency as well as requirements for service provider compliance. Creates, maintains, and distributes third-party vendor security questionnaires. Serves as the agency's liaison to ensure successful external third-party risk and vulnerability assessments. Communicates assessment results to leadership, business stakeholders, and program managers. Documents Corrective Action Plans (CAP) as needed and assists with the creation of agency Plan of Action & Milestones (POA&M).

Essential Function 3

Assists with the research, creation, maintenance, implementation and communication of Information Security policies, standards, controls, and procedures documentation. Evaluates and documents technical, administrative, and physical controls to ensure the agency demonstrates compliance and meets the requirements of its regulatory obligations. Leads efforts to remediate control gaps and presents findings to leadership. Facilitates data collection and eDiscovery efforts to support investigations of policy violations. Collaborates with the Information Security Operations team and other agency stakeholders to analyze security incidents and provide recommendations to reduce risk. Establishes and maintains a detailed risk register for the organization. 

Essential Function 4

Develops and matures the agency's security awareness program. Utilizes a combination of third-party education resources and services, threat intelligence, and industry trends to create and distribute annual and supplemental security awareness trainings. Periodically provides agency staff with additional education opportunities such as presentations or workshops that are focused on information security, risk, and compliance.

Essential Function 5

Continues education by attending training, seminars, conferences, and obtaining industry certifications. Maintains a current understanding of the threat landscape by monitoring online information security related websites, blogs, articles, reports, as well as other security intelligence sources to keep up-to-date on the latest threats, IOCs and trends. Participates in cybersecurity focused organizations.   

Essential Function 6

Performs other duties as required or assigned which are reasonably within the scope of the duties enumerated above. Provides off-hours support as required.

Minimum Qualifications 1

Associates Degree in a related field and a minimum of 10 years of Information Technology experience including 5 years of professional experience in information security and risk management.  A combination of education, certifications and experience may be substituted for degree.

Minimum Qualifications 2

Advanced knowledge in information security technologies, design, and architecture. In-depth understanding of risk management and security frameworks such as NIST, CIS, OWASP, COSO, ISO, FAIR, etc. 

Minimum Qualifications 3

Prior success in performing risk assessments. Experience developing and implementing enterprise risk and compliance strategy and solutions. 

Minimum Qualifications 4

Possesses the ability to write and communicate effectively with both technical and non-technical audiences. 

Minimum Qualifications 5

Comfortability presenting to executive leadership is a must. 

Preferred Qualifications 1

One or more of the following certifications are highly desired:

CISA: Certified Information Systems Auditor
CRISC: Certified in Risk and Information Systems Control
CGRC: Certified in Governance, Risk and Compliance
CISSP: Certified Information Systems Security Professional
SSCP: Systems Security Certified Practitioner
CCSP: Certified Cloud Security Professional
IAPP: CIPP, CIPM, CIPT
COBIT: Control Objectives for Information and Related Technology
ITIL: Information Technology Infrastructure Library