This job has expired, please see additional jobs below
Senior Analyst, IT Risk & Compliance
Sirius XM
Washington, DC, United States
Job Details - this job has expired, please see similar jobs below
Position Summary:
The Senior Information Risk and Compliance Analyst is responsible for supporting the Information Security and Compliance Management group of the Enterprise Information Security and Compliance Department on all information security and compliance-related policies, standards, and practices across Sirius XM. In particular, this role is to ensure that compliance and information risk reduction goals as they related to information security are identified, measured and met by the company. As a result, this role requires a combination of technical security and complex compliance analysis skills and abilities.
This position supports the Senior Director in managing the Company's IT General Controls for SOX Audit and compliance program, our Payment Card Industry -- Data Security Standard (PCI-DSS) assessments and Do Not Call, COPPA,US:EU Safe Harbor Rule, Red Flag Rule, SEC Security Breach reporting, payment card reporting, federal and state security laws, and vendor contract and risk management compliance. This position will support the development, monitoring and reporting of governance, policy, and security risk management issues.
Enterprise Information Risk, Compliance, and Security Responsibilities:
• Responsible for supporting all aspects of information security as it relates to SXM's compliance programs including SOX, PCI, ISO, and other programs serving as the information security and compliance subject matter expert for the enterprise including radio, connected vehicle services to enforce adherence to corporate information security policies and standards.
• Consults on the design of security controls and implementation of security features for the corporate network infrastructure, servers, workstations, network devices, multi-function devices, mobile computing platforms, partner facing systems and other externally facing technologies including telematics in-vehicle communications, information, and entertainment components and systems.
• Partner with Information Security leads throughout the enterprise to identify security risks and implement controls to reduce or eliminate risks by conducting risk and vulnerability assessments and validating the operation, and tuning of security instrumentation, including vulnerability scanners, intrusion detection sensors, DLP, security log monitoring/correlation tools, file integrity monitoring solutions, and other security relevant controls.
• Conducts security assessments, compliance test and evaluation (including PCI related testing) and internal control testing (for IT general controls) to identify security gaps and areas of non-compliance, and develop risk mitigation strategies and remediation tracking in accordance with COBIT, ISO, and regulatory standards and policies.
• Review and monitor information security administration for existing and plan projects and identify security gaps and impacts resulting from system changes and/or modifications. Responsible for actively tracking issue remediation status.
• Designs and manages the Vendor Information Risk Management Program which include conducting information security assessment, compliance due diligence, and performing oversight activities of third parties who have access to the company's environments or data.
• Creates and/or writes information security, compliance and privacy related policies and standards, and assists in decision-making regarding the implementation and enforcement of existing compliance policies and procedures to satisfy legal and regulatory requirements.
• Assist in development of methodologies, procedures, and technologies, for the execution of incident response within the enterprise and, where appropriate, assist in the investigation, resolution, and/or escalation through postmortem analysis to management.
• Creates and/or supports information security training and general information security awareness, PCI, and PII training as required to help raise awareness of information security across the enterprise.
Supervisory Responsibilities:
• There are no supervisory responsibilities associated with this job
Minimum Qualifications:
• A Bachelor's degree from an accredited institution or an equivalent combination of education and work experience.
• Fundamental understanding of risk-based information security management, as well as knowledge of applicable regulations, standards, and guidelines pertaining to information assurance (FIPS, NIST, ISO Standards).
• Ability to work with the development, integration, and infrastructure teams in implementing security controls.
• Ability to articulate vulnerability and security risk-based on technical security posture.
• Ability to support the development of information security system level plan of action and milestones.
• Experience working on complex systems in the security engineering or other system-related role including systems architecture, requirements analysis, integration, and process execution and evaluation
• Experience in PCI, ISO, and SOX - required
• Experience in vendor risk management - preferred
• Experience in information security and risk policy and standards development - required
• Current CISA, CISSP, or CRISC required
Requirements and General Skills:
• Good public speaking and presentation skills
• Professional demeanor, good interpersonal skills and ability to interact and work with staff at all levels
• Excellent written and verbal communication skills
• Ability to work independently and in a team environment
• Ability to pay attention to details and be organized
• Ability to project a professional image over the phone and in person
• Commitment to "internal client" and customer service principles
• Ability to handle multiple tasks in a fast paced environment
• Willingness to take initiative and to follow through on projects
• Strong organizational skills and attention to details
• Excellent time management skills, with the ability to prioritize and multi-task, and work under shifting deadlines in a fast paced environment
• Must have legal right to work in the U.S.
• Ability to travel
Technical Skills:
• Knowledge of industry standards and best practices for IT audit -- COBIT, COSO Framework, SSAE 16,
• Knowledge of industry standards and best practices for IT security -- ISO 27001/27002
• Knowledge of industry standards for payment card protection -- PCI v3.1, Call Center guidelines, Telephone Systems guidelines
• Thorough knowledge of MS-Office Suite (Word, Excel, PowerPoint, Access)
Equal Opportunity/Affirmative Action Employer - Minorities/Females/Protected Veterans/Disabled.
The requirements and duties described above may be modified or waived by the Company in its sole discretion without notice.