IT Risk and Assurance Analyst
A new opportunity is now available for an IT Risk and Assurance Analyst to join the second line IT Risk and Assurance team, reporting into the Director IT Risk and Assurance.
As an IT Risk and Assurance Analyst you will be using professional expertise to enable the effective management of risk and provide functional assurance over related controls for IS in line with risk appetite. You will also engage with key stakeholders to manage, maintain, assess and monitor the risk and control framework and provides timely reporting to relevant stakeholders. It is responsibility of this role to deliver the risk and assurance activities as defined by the IT Risk and Assurance Manager to provide overall assurance over the key services delivered by the IT function and support compliance with external requirements including external and internal audits.
On top of the above, you will be assisting the IT Risk and Assurance Manager in the execution of activities to support the IT Risk and Assurance Strategy and plan, including:
- Alignment of work to Group Policy and Standards including the Enterprise Risk Management Framework and Functional Assurance Standard.
- Overseeing IT risks.
- Evaluating and identifying new and current IT risks using both internal sources (audit findings, penetration test results, etc.) as well as external sources (threat intelligence feeds, industry specific threat advisories, etc.)
- Reviewing the effectiveness of IT controls on an ongoing basis against the changing risk landscape to evaluate changes in residual risk and assess the sufficiency of the corresponding compensating control(s) or the need for new controls
- Identifying opportunities for IS process improvement through controls simplification and standardization.
- Working with stakeholders to advise and provide guidance about the application of IS policies and standards and risk and control management processes.
- Creating reports, dashboards and related communications to report on risks and controls assurance for stakeholders and the various risk and control committees.
- Reviewing and dispositioning risk exception requests in accordance with policy and standards, and ensuring time-limited risk exceptions are reviewed prior to their expiry.
- Advising the IT function regarding policies and standards and helping control owners address control gaps via identification of possible compensating controls.
- Reporting on Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), and Key Performance Indexes (KPXs) for DTS risks.
You have the following competencies:
- Good understanding of and ability to apply commonly-used concepts, practices, and procedures for information technology governance, IT risk management and assurance, including Governance, Risk and Compliance (GRC) platforms, and familiarity with GRC tool usage
- Knowledge of standards, frameworks, methodologies and leading practices related to IT risk and controls identification, assessment, evaluation, response and monitoring
- Knowledge of risk registers, as well as identification, assessment and mitigation methodologies
- Balance of business acumen and technology knowledge
- Ability to grasp the interdependencies of key IT processes and workflows, external market factors and influences that drive the organisation, and apply these to the identification of effective risk and controls
- Understanding of the Information Security Forum (ISF) controls framework, National Institute of Standards and Technology (NIST) Cybersecurity Framework, Control Objectives for Information and Related Technology (COBIT), International Organisation for Standardisation (ISO) 27000
- Knowledge of legal and regulatory environment affecting the power utilities, retail energy, or oil and gas industries from a technology perspective.
- Demonstrated ability to work in teams, with the ability to effectively prioritise work/delivery commitments to achieve timely and effective outcomes
- Effective communication skills (oral and written), with the ability to translate technical language into business language and vice versa
- Influencing key stakeholders to mitigate risks and meet compliance requirements
Your background and experience include:
- You are ideally educated up to Bachelor degree and have big 4 experience.
- Preferred experience in areas of IT audit, IT risk management, IT governance and/or IT compliance
- Preferred experience in information risk related best practices, policies, standards, and regulations (e.g., ISO 27001, Information Security Form (ISF), Payment Card Industry (PCI) Data Security Standard, and data privacy)
- Preferred experience with the emerging risk and threat landscape in the power utilities, retail energy, or oil and gas industries
- Certifications: Preferred, but not required certifications may include: CompTIA Security+, Certified Risk Manager (ISO 31000), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA)