Senior Security Assurance IT Audit Analyst

Essential Duties and Responsibilities

• Design and lead the information security risk assessment strategy, methodology, and process
• Implement, manage and execute compliance programs associated with SOC 2, ISO 27001, Privacy compliance (multiple regulations) and federal NIST requirements
• Coordinate execution of enterprise-wide information security risk assessments, including the negotiation, reporting and oversight of risk treatment plans to address findings
• Work with business partners, Global Risk Management, IT Risk, Product & Data Security, Privacy, and outside consultants on required information security risk assessments and audits
• Investigate, evaluate, and advise on implementation and effectiveness of security controls for compliance with applicable information security laws, regulations, and policies
• Write effective communications to stakeholders and team
• Design, write, and implement manual and automated controls, track implementation
• Ensure key security internal controls are identified, implemented, tested, and remediated as required
• Compliance control testing. Evaluate effectiveness of internal controls using various methodologies, including: inquiry, reviewing documentation, observing activities, analytics, identifying anomalies, and examining transactions.
• Record audit findings and work in a clear and organized manner.
• Triage process or control ownership changes affecting compliance monitoring
• Test cloud provider settings and configurations
• Evaluate and advise on security control recommendations to mitigate information security risks
• Create, review, and test control attestations for the quarterly controls self-assessment program, including writing audit test-program steps
• Manage Security Exception requests for risks and track resolution process
• Advise on enhancements to enterprise Security Policies and Standards
• Strategic planning for future framework implementation and arranging timelines with affected parties
• Gap evaluations on current state operations compared to frameworks not yet implemented to determine an action plan
• Work directly with colleagues to provide advisory services and guidance that will reduce organizational risk, improve their overall security posture, and achieve compliance
• Create, QA, maintain, troubleshoot with developers, and publish metrics and dashboards
• Create and deliver operational and executive summary reports for information security risk activities
• Prepare reports and other deliverables that contain strategy, technical analysis, findings and recommendations
• Evaluate acquisitions for their compliance posture and tools, create remediation plans to improve or change to Sorenson standards, noting exceptions
• Process initial vendor requests and renewals, and manage the third-party security vendor risk management (TPRM) program and lifecycle
• Represent the Security Risk & Compliance team on input to contract requirements relating to information technology and security controls
• Create and maintain job aids for various functions
• Manage risk and compliance resources for team, including training new staff members or cross-training teammates
• Learn and perform some end-user type Administrator functions for the GRC software application
• Respond to security assessments, questionnaires and audits from regulators, clients and third-party business partners
• Respond to client third-party audit or assessment requests to facilitate business transactions and maintain strategic business relationships
• Write and have approved, responses to client inquiries and maintain library of records, documentation, and responses
• Other projects and duties as assigned

Education and Licensure

Minimum 4 year Bachelor of Science degree in a related field

Minimum one or more of the following Certifications: CIA, CISSP, CRISC, CISA, CISM. May consider other equivalent work experience.

* Applicants must be legally eligible to work in the United States to be considered. Visa sponsorship is not available for this role *

Experience

5-7 years’ work experience in Information Security and Technology Auditing and a combination of: IT general controls operational security, application security, risk management, vendor assessments, audit testing, data analysis, governance, Compliance, or Internal Audit.

3 years’ experience specific to Security Risk Management and Compliance programs, process and internal control design, audit testing, frameworks, cloud security audit, and audit management and execution

Knowledge, Skills, and Abilities

• Strong analytical skills
• Excellent written and verbal communications skills, including presentational skills
• Ability to troubleshoot, problem solve, and facilitate action plan mediation with other departments
• Ability to work with others in both individual and team settings
• Understanding of or experience with industry and regulatory standards, including NIST 800-53, HIPAA Security Rule, ISO 2700x, AICPA SOC 2, PCI DSS, GDPR, CCPA
• Prior experience auditing and performing quality control actions of audits
• Experience with GRC tools for information gathering and reporting
• Knowledge of cloud provider offerings
• Demonstrated experience in curating cyber security strategies and programs for large and complex organizations and/or smaller or startup companies
• Proven track record in defining, developing, and implementing cyber risk management structures, governance models, organizational transformations in the areas of cyber security
• Ability to write and create timelines, solution workflow diagrams, system documentation, playbooks, policies, etc.
• Strong domain expertise and understanding of five or more of the following areas:
  • Cyber risk program management and delivery
  • Security architecture knowledge
  • Security technologies functional understanding (e.g., firewalls, security event monitoring, intrusion detection and prevention, malware detection)
  • Data protection and privacy
  • Application security/SDLC
  • Third party vendor risk management security assessments
  • Cloud security
• Strong experience in designing and developing cyber security programs that are aligned with industry standards and regulatory requirements (e.g., ISO27001/2, NIST cyber security framework)

Working Conditions and Physical Requirements

• Able to sit for a long period of time at a desk or table in an office environment.
• Able to stand for periods of time.
• Dexterity of hands and fingers to operate a computer keyboard, mouse, tools, and to handle other computer components
• Self-provide a reliable source or sources of internet service, when not on-site. To plan ahead if primary internet has a service outage, recommend that an alternate secondary internet should be arranged for in advance. Related missed work hours must be reported as Paid Time Off. Use of a self-provided “UPS or power battery station” can power internet equipment during an electrical outage.
• Local personnel are currently required to work part of the week in the office.
• On-video attendance is expected for a majority of meetings.
• Regular and predictable attendance required.
• Positive attitude, team player, good interpersonal communication skills and able to work across company departments.
• Oversee team members’ work when they are supporting your projects or functional area.

Travel Requirements

Travel Requirements: Less than 25%. May include domestic or international travel.

Benefits

• Paid Vacation Time and Paid Sick Time and Paid Holidays
• 401k 6% match with immediate vesting
• Nationwide Medical Insurance plans and coverage (Medical, Dental/Orthodontia, Vision)
• TeleDoc
• HSA company match
• 3 Medical plan options including a Low Deductible PPO Medical Plan Offering
• Employee Assistance Program
• Engaged Employee Resource Groups
• Outstanding Learning and Career Development Opportunities

Pay Range: Actual pay may vary up or down depending on job-related factors which may include knowledge, skills, experience, and location. In addition, this position may be eligible for incentive compensation.

Company Summary

Our Mission…Harnessing the power of language, we connect diverse people and enrich the human experience.

Our Vision…To provide global language services that expand opportunities, nurture belonging, and empower the world to connect beyond words.

As one of the world’s leading language services providers, Sorenson combines patented technology with human-centric solutions. We strive to increase diversity, equity, inclusion, and accessibility for underrepresented people through communication solutions for all: call captioning and video relay services, over-video and in-person sign language and spoken language interpreting, translation, real-time captioning, and post-production language services.

Sorenson’s impact vision and plan extends to supporting employment opportunities for diverse employees, customers, and communities. As a minority-owned company, we are committed to expanding opportunities for underserved communities while promoting an inclusive workplace for our own employees.

Equal Employment Opportunity: Sorenson Communications is an Equal Opportunity, Affirmative Action Employer.

Come be a part of our mission and make a meaningful and positive impact with the industry leading provider of language services for the Deaf and hard-of-hearing!