IT Compliance & Risk Analyst in Tampa, FL at Vaco

Date Posted: 9/27/2019

Job Snapshot

Job Description


Under general supervision, carries out procedures to ensure all information systems and services meet IT & T organization standards and compliance obligations, including regulatory requirements, contractual requirements, and Emera requirements. The Compliance & Risk Analyst II is primarily responsible for audit readiness, compliance issue investigation and reporting, compliance information management, and controls/monitoring for multiple stakeholder sets. Advises to IT projects to ensure appropriate compliance posture. Acts as subject matter expert for certain compliance obligations.

Primary DUTIES AND RESPONSIBILITIES (in addition to those of Compliance Analyst I)

1. Responsible for one or more IT compliance programs (e.g., NERC CIP, PCI DSS, SOX, DFARS, Emera Cyber Security, DHS TSA Pipeline Security). This includes facilitation of and tracking of deliverables for root cause analysis, violation reporting, technical feasibility exceptions, mitigation plan development, evidence reviews, external audit preparations, and NERC Alerts responses. Support the development of flow diagrams or other illustrations showing key steps associated with a given process or sub-process affected by applicable regulations and/or contract terms. As needed, coordinates and facilitates technical feasibility exception audits, mitigation plan completion audits, and other audit spot checks with external auditors. [30%]

2. Policies & Procedures: Liaise with IT&T areas such as IT Security, IT Project Management Office, IT Infrastructure, Telecom, Access Administration, and affected corporate areas and business units to facilitate the evaluation, design and implementation of effective methodologies, procedures and controls to comply with new and existing regulatory requirements. [25%]

3. Controls & Monitoring: Provide independent assessment and assurance of the effectiveness and efficiency of the IT control environment. Administers and monitors the execution of TEC compliance program by sampling compliance deliverables for acceptable content and assessing risk. Utilize security tools to further sample content. Participate in the implementation of technology-based tools (e.g. GRC) to support IT compliance and risk initiatives. [20%]

4. Responsible for one or more other areas within department as assigned [25%]:

a. As needed, provides updates to Business Strategy related to cybersecurity and impact of new legislation/regulatory requirements on TEC business operations.

b. Risk Management: Work with technology teams and business stakeholders in the design, implementation, and optimization of IT risk assessment practices.

c. Policies & Procedures:

i. Act as ruleset liaison for assigned areas of compliance.

ii. Act as ruleset Subject Matter Expert (SME) for

1. Information Protection Program and assigned CIP compliance related to BES Cyber System Information.

2. NERC CIP Awareness Program.

3. NERC CIP Training Program.

4. NERC CIP Security Management Controls.

d. Training & Communication:

i. Ensure mandatory training is conducted, tracked, and recorded.

ii. Develop and facilitate compliance training for subject matter experts.

iii. Develops and/or provides input into IT Security awareness program.

e. Performance Management: Develops and coordinates the assessment of cybersecurity awareness via phishing campaigns utilizing tool.