This is a remote role, candidates from all US geographies will be considered.*
Remote position – The Security Risk & Compliance Analyst – GRC (Governance, Risk, and Compliance) is a position within the ACS (American Cancer Society) Cybersecurity Services team with primary focus on advancing the Society’s security posture in the following GRC functions, cybersecurity risk management, security governance, security awareness, internal audit management, skills training, Compliance (PCI, HIPAA, NIST, etc.), and vendor management. This role delivers consolidated visibility and data-driven analytics to assess and mitigate cybersecurity and technology risk against established frameworks, standards, policies, and methodologies. This role will collaborate with a team of subject matter experts within the Cybersecurity Services team and Cybersecurity Services leadership to ensure risk is appropriately managed to an acceptable level within the ACS environment. This position requires strong written and oral communication skills to communicate risk impact and likelihood to all levels of the organization and non-technical stakeholders.
Cybersecurity Risk Management
- Evaluate current & potential risks, assess how a malicious actor might exploit those risks, and recommend actionable risk mitigation plan to reduce risk.
- Perform independent analysis of information security risk to determine probable likelihood and probable frequency of occurrence.
- Identify and assess risk, determine applicable controls which mitigate risk, and communicate opportunities for control improvements.
- Prepare detailed, neat, and organized risk management documentation, clearly articulating the risk impact, likelihood, and mitigation recommendations to stakeholders.
- Assist business and IT teams with solution vendor selection and technology selections, as required to address risk exposure.
Internal Audit Management:
- Provide an internal audit process for review, evaluation, and documentation of audit findings.
- Evaluate and monitor internal and external security assessments, vulnerability reports, penetration tests, and audit reports.
- Analyze audit findings to determine applicable management response and mitigation plans.
- Prepare detailed and organized documentation, clearly articulating description, mitigation recommendations, and status updates.
- Assist business and IT teams as required to address audit findings and mitigation plans.
Payment Card Industry (PCI) Data Security Standards (DSS):
- Understand the PCI DSS and how it can help protect ACS customer data and business data.
- Assist with completion of tasks in the annual PCI DSS compliance assessment, where required and assigned.
- Prepare detailed, neat, and organized documentation, clearly articulating the description of the work performed, dates, and evidence collected.
Policy and Process Management:
- Develop, review, and analyze policies, procedures, exceptions, and workflow documents to identify gaps and risks based on controls and other ACS business processes.
- Assist business and IT teams with review, evaluation, and management of IT Policy Exceptions, where required and assigned.
Security Awareness and Skills Training:
- Develop and distribute notifications and reports to various levels of ACS leadership, when requested and required.
- Assist ACS leadership with training curriculum, templates, notifications, and other selections, as required to set up phishing and training campaigns.
- Collaborate with Cybersecurity Services team colleagues to assist with the implementation of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and related security controls such as the Center for Internet Security (CIS) Controls.
- Contribute to the development and establishment of IT Security Program governance documentation.
- Perform control assessment to ensure effectiveness and compliance with IT Security program controls.
- Provide input to security program reporting on information risk Key Performance Indicators (KPIs), Key Control Indicators (KCIs), and Key Risk Indicators (KRIs)
- Provide security guidance to legal and business stakeholders on contractual agreements with third parties and recommend information security terms and conditions to be included based on ACS security policy, compliance obligations, and third-party risk.
- Provide review and approval of all IT security contracts for business continuation.
- Other duties as assigned .
- Bachelor’s degree in information systems, computer science, or related technical field is desired.
- Entry Level: 1-3 years of information technology, information security, or risk management practitioner experience.
- Mid-Level: 3-5 years of information technology, information security, or risk management practitioner experience.
- Senior Level: 5+ years of information technology, information security, or risk management practitioner experience.
- Security certification such as: CRISC, CISSP, CISA, CISM, CGEIT, GCCC, GSEC, or GISP desired.
- Certified Payment Card Industry – Internal Security Assessor desired.
PREFERRED SKILLS AND EXPERIENCE:
- Excellent communication (written and oral) and interpersonal skill.
- Proficient usage of Microsoft suite of products (Outlook, Teams, Word, Excel, PPT, Visio).
- Experience in using Azure DevOps Productivity such as boards, backlogs, and sprints.
- Knowledge of Onspring, or other GRC applications and automation a plus.
- Self-directed, collaborative, and results oriented.
- Ability to work under tight deadlines at a fast pace.
- Strong attention to detail, data accuracy, and data analysis.
- Experience in one or more: ISO 17799, NIST 800-37 and CIS Critical Security Controls.
- The ability to learn and apply new concepts quickly.
- Independent problem-solving experience.
- Comfortable with interfacing with other internal or external organizations regarding security policy and standards violations, security controls failure, and assessment responses.
- General understanding of the Factor Analysis of Information Risk methodology.
- Demonstrated knowledge of IT Security process frameworks, ISO (International Standards Organization) 27000. NIST, COBIT, COSO, ITIL.
The starting rate is $69,500 to $91,200 per year. The final candidate’s relevant experience/skills will be considered before an offer is extended. Actual starting pay will vary based on non-discriminatory factors including, but not limited to, geographic location, experience, skills, specialty, and education.
The American Cancer Society has adopted a vaccination policy that requires all staff, regardless of position or work location, to be fully vaccinated against COVID-19 (except where prohibited by state law).
ACS provides staff a generous paid time off policy; medical, dental, retirement benefits, wellness programs, and professional development programs to enhance staff skills. Further details on our benefits can be found on our careers site at: jobs.cancer.org/benefits. We are a proud equal opportunity employer.
Equal Opportunity Employer.
See our commitment to a policy of Equal Employment Opportunity to continually ensure equal opportunity to our employees and to our applicants.