Security Compliance Analyst

The Security & Compliance Analyst is responsible for internal controls as well as the success of the RouteOne Information Security Program. This program is designed to protect company information, data and facilities; maintain the security of assets; and to ensure the efficacy of controls. The overall goal is to design, develop, implement, and maintain a comprehensive information security program that is appropriate to the sensitivity of the information and data that is scoped adequately for the size, complexity, nature, and risk of RouteOne's business activities. The ideal candidate will have the skill to communicate the details of this program, in writing and speaking, to management, external auditors and customers, regardless of their technical or non-technical backgrounds.

Job Requirements

• Execute and manage external and internal IT Security audits.
• Collect and maintain audit evidence for annual SOC (Service Organization Control) and GLBA audits derived from results of internal audits, including documentation of deviations
• Participate in audits of RouteOne's vendors and perform subsequent remediation tracking to closure
• Respond to audits from finance sources and other partners including participating and leading in-person audit sessions, answering detailed questionnaires, and gathering and providing evidence as well as managing remediation of findings from these audits
• Respond to due diligence requests from finance sources and other partners, providing documentation such as SOC reports, finance reports, and other evidence
• Design new controls and/or update policies and procedures to close audit findingsReview reports generated from various monitoring and scanning tools and respond appropriately
• Collect data, produce reports, and provide metrics from audits conducted to analyze network threats/vulnerabilities, evaluate risks, and determine how to improve existing cybersecurity measures.
• Contribute to certain functions within the information security framework that ensure confidentiality, integrity, and availability of information assets by protecting against unauthorized use, disclosure, modification, or loss.
  • Assist with informing and educating staff about information security, including phishing prevention
  • Assist in creating phishing campaigns and monitoring employee training compliance
• Assist in monitoring, administering, and enforcing security policies/procedures.
• Review existing documentation of IT controls, business processes, policies, procedures, and management reports for compliance, effectiveness, and sustainability.
• Manage remediation plans/corrective actions for any vulnerabilities or compliance failures reported in audits.
  • Evaluate vulnerability reports and perform gap analysis to assess compliance with evolving regulatory requirements and duties.
• Maintain safety, security, and privacy standards throughout all areas of responsibility.
• Assist in annual Risk Assessments and Business Impact Analysis reviews with management
• Assist in annual Business Continuity and Security Incident Response tabletop exercises

Knowledge

• Experience reviewing and/or drafting information security policies and procedures.
• Experience in audit or equivalent Information Security area with technically complex and diverse audits/projects.
• Demonstrated experience applying knowledge of internal control standards, objectives, and techniques unique to computer processing in a multiple platform environment.
• Solid knowledge of current industry information security principles, controls and practices.
• Knowledge of various compliance policies and programs (e.g., PCI, GDPR, ISO 27001).
• Understanding of security protocols and standards. (NIST, SOC, GLBA, OWASP Top 10)
• Knowledge of security intrusion prevention tools used to record, track, and examine intrusions to find ways to prevent future incidents.
• Experience in reporting analysis of potential cybersecurity threats, emerging practices and technologies to both technical and non-technical audiences.

Skills

• Proficient in Microsoft Office products, including, but not limited to, Word, PowerPoint, SharePoint, Excel, Outlook, Teams, and Visio. Experience with Microsoft Defender a plus
• Experience with Atlassian products such as Confluence and Jira, or ticketing systems such as Salesforce, ServiceNow, or CloudLink
• Understanding of SIEM (Security Incident and Event Management) products such as Splunk to review and act on security events, system vulnerabilities, and other security findings.
• Experience working within various compliance programs e.g., SOC, GLBA and NIST)
• Understanding of finance source and auto dealer industries a plus
• Knowledge of cloud, SaaS (Software as a Service) and shared security model responsibilities
• Proven organizational and time management ability
• Demonstrated experience of successful customer and vendor relationship management preferred

Abilities

• Ability to work both independently and in a team environment to establish priorities and execute subsequent plans successfully
• Ability to use relevant information and individual judgment to determine whether events or processes comply with laws, regulations, or standards.
• The ability to communicate information and ideas, both verbally and in writing, so others will understand risks and proposed solutions
• Ability to thrive in a dynamic, fast-paced software development environment. Knowledge of Agile Development a plus.
• Strong analytical, problem-solving, communication, and technical skills.
• Proactive, detail-oriented professional eager to grow in responsibility
• Flexibility to adjust to changing priorities and simultaneously work on high-visibility projects to ensure completion
• Adaptability to respond to security issues arising from new cybersecurity threats and emerging tools and technologies
• Ability to take a practical business-focused approach to IT Security.
• Willingness to be a continual learner in the cybersecurity landscape

Other Essential Requirements

• 2+ years of professional experience.
• Bachelor's degree from an accredited university.
• Cybersecurity, compliance and auditing experience.
• Ability to travel up to 25% of the time.
• Certifications through ISACA, CompTIA, GIAC or other professional certifying bodies a plus