Senior IS Risk & Compliance Analyst

Job Seekers can review the Job Applicant Privacy Policy by clicking here.

Job Description:

Summary
The Senior Information Security Risk & Compliance Analyst will be responsible for supporting the security direction of the business and elevating the company's security posture. The Analyst is expected to support the security strategy within new and existing information systems capabilities. The Analyst's role lies within the Chief Information Security Officer's organizational structure, reporting to the Manager of Information Security Governance, Risk and Compliance. The role oversees the business' security requirements and obligations mandated by standards and regulations. In tandem with security leadership, the GRC security analyst consistently assesses and validates the assurance of the security program. As a primary point of contact for internal and external auditors, the GRC security analyst monitors progress and enforces resolution of outstanding issues that may lead to non-compliance or security threats to the business. As a key member of the security team, the GRC security analyst must focus on strong risk management and corporate resiliency, and not be driven solely by compliance.

Essential Functions

• Conduct enterprise-wide, ongoing information security risk assessments and risk management activities. Identify strengths and weaknesses in the security program. Analyze findings, and document, recommend and report program gaps to security leadership and business stakeholders; reduce risk by helping to prioritize and drive remediation efforts throughout the organization, and contribute to risk management, treatment, and reporting process efforts to protect data assets.
• Perform all ongoing compliance activities related to the implementation, maintenance, monitoring and continuous improvement of Ryder’s existing Information Security Management System (ISMS) based on the requirements of ISO/IEC 27001 International Standard as well as future compliance requirements. The analyst will work with various levels and departments across the organization to ensure appropriate documentation is maintained as evidence of competence and compliance and help to facilitate internal and external independent examinations. The analyst will also help to develop and implement an effective and unified global information technology/security compliance program with applicable data protection standards, legislation, as well as customer information security requirements.
• Perform assessments to maintain oversight of third party information technology suppliers to safeguard against undue risk. Create final reports of pros and cons, observations of anomalies, and deliverables for the business as well as mandates for supplier compliance. Articulate results of the final assessments to business stakeholders, project sponsors, program managers, and other internal parties. Assist with review of information security sections within supplier contracts to ensure security and data privacy requirements are in place.
• Evaluate the effectiveness of information security management and performance by developing, monitoring, gathering and analyzing information security and compliance metrics for management. Define qualitative and quantitative metrics to assess the success of the security program and provide regular reports to security and business leadership.
• Design and document IT general controls to ensure the business demonstrates compliance with its regulatory or compliance obligations. Facilitate and coordinate activities and responses related to internal and external controls testing including entitlement reviews. Facilitate the remediation of control gaps and escalate critical issues to management. Work closely with control owners, internal and external auditors to ensure requests are completed for timely delivery to audit. Assist with third party audits and certifications for the organization (i.e. SOC, ISO, PCI, etc.)
• Maintain oversight and administration of the GRC platform, Sensitive Data Discovery and Classification, and/or other compliance monitoring tools.
• Respond to customer information security requirements and due diligence questionnaires. Coordinate and facilitate response gathering in conjunction with other organizational applications, support, infrastructure, legal, HR, and physical security teams as necessary. Ensure responses are accurate, valid, consistent, and reported within expected deadlines. Maintain repository of customer information security requirements, track and report on compliance.
• Research, recommend, and contribute to information security polices, standards, and procedures and work with other organizational participants from legal, human resources, information technology, compliance, physical security, the business units and others that have to implement the policies. Participate in the lifecycle management of information security's policy and supporting documents.

Additional Responsibilities

• Provide assistance with other information security, risk and compliance projects and initiatives as assigned.
• Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Apply GRC expertise across key lines of business, including products, practices and procedures.
• Performs other duties as assigned.

Skills and Abilities

• Strong verbal and written communication skills
• Strong verbal communication and listening skills
• Ability to work in a regulated environmentAn understanding of organizational mission, values, and goals and consistent application of this knowledge
• Ability to present information and ideas clearly and understandably to othersAn ability to identify and assesses the severity and potential impact of risks and communicate risk assessment findings to risk owners outside Information Security in a way that consistently drives objective, fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance
• Ability to create and maintain professional relationships within all levels of the organization (peers, work groups, customers, supervisors)
• Ability to maintain confidential information
• Ability to simultaneously handle multiple priorities
• Ability to work independently and as a member of a team
• Demonstrates a high level of accuracy, even under pressure
• Possesses a high degree of initiativeAn understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business
• Seeks to acquire knowledge in area of specialty
• Excellent organizational skills
• Maintains a high degree of professionalism
• Proactively approaches responsibilitiesAn understanding of organizational mission, values, and goals and consistent application of this knowledge
• Ability to drive multiple projects to successful completionExcellent prioritization capabilities, with an aptitude for breaking down work into manageable parts, effectively assessing the priority and time required to complete each part
• Maintains composure under pressure
• Ability to analyze and solve problems
• Ability to effectively facilitate meetings, work sessions, and training
• Ability to group, categorize, and systematize data, people, or thingsAbility to collect, compile, gather reports with associated email thread responses ensuring respective reports and responses are maintained separate for each entitlement report reviewer
• Ability to work within tight timeframes and meet strict deadlines
• Flexibility to operate and self-driven to excel in a fast-paced environment
• Ability to work with others in a professional manner while achieving a common goal
• Capable of multi-tasking, highly organized, with excellent time management skills
• Ability to effectively manage a variety of tasks and projects simultaneouslyAn ability to work on several tasks simultaneously and pay attention to sources of information from inside and outside one’s network within an organization
• Ability to influence internal and/or external constituentsAn ability to effectively influence others to modify their opinions, plans, or behaviors, with an emphasis on collaborating across multiple teams and ensuring program needs are satisfied through interpersonal and trusted communication
• Demonstrates excellent judgment and decision making skillsStrong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one
• Ability to listen, write, and speak effectively Inform, explain, and give instructionsAn ability to communicate complex and technical issues to diverse audiences, orally and in writing, in an easily-understood, authoritative, and actionable manner
• Exposure to and familiarity with relevant standards such as ISO/IEC 27000 family - Information Security Management Systems, NIST Cybersecurity Framework, NIST 800, and applicable laws related to regulatory compliance, information security and privacy (e.gSOX, HIPAA, GDPR, PCI-DSS) intermediate required
• Knowledge of information security risk management and IT controls frameworks and methodologies (e.gISO/IEC 27005, COBIT, OCTAVE) intermediate required
• Knowledge of Risk Management Principles (risk avoidance, transfer, mitigation, acceptance), Risk Assessment process intermediate required
• Knowledge of Cloud Security - Cloud Control Matrix (CCM), Consensus Assessment Questionnaire (CAIQ) intermediate required
• Knowledge of Common Controls Hub - Unified Compliance Framework (UCF) intermediate preferred
• Knowledge of Standardized Information Gathering (SIG) Questionnaire intermediate preferred
• Knowledge of AICPA SOC for Service Organizations intermediate preferred

Qualifications

• Bachelor's degree required Information Security, Information Technology, Management Information Systems
• Master's degree preferred Information Security, Information Technology, Management Information Systems
• Seven (7) years or more Experience with technology risks and controls and deploying information governance, information technology risk management, compliance, information secuirty, or privacy programs required
• Seven (7) years or more Experience with cyber security and information security program management and frameworks (e.g. NIST CSF, ISO/IEC 27000, etc.) required
• Exposure to and familiarity with relevant standards such as ISO/IEC 27000 family - Information Security Management Systems, NIST Cybersecurity Framework, NIST 800, and applicable laws related to regulatory compliance, information security and privacy (e.g. SOX, HIPAA, GDPR, PCI-DSS) intermediate required
• Knowledge of information security risk management and IT controls frameworks and methodologies (e.g. ISO/IEC 27005, COBIT, OCTAVE) intermediate required
• Knowledge of Risk Management Principles (risk avoidance, transfer, mitigation, acceptance), Risk Assessment process intermediate required
• Knowledge of Cloud Security - Cloud Control Matrix (CCM), Consensus Assessment Questionnaire (CAIQ) intermediate required
• Knowledge of Common Controls Hub - Unified Compliance Framework (UCF) intermediate preferred
• Knowledge of Standardized Information Gathering (SIG) Questionnaire intermediate preferred
• Knowledge of AICPA SOC for Service Organizations intermediate preferred
• Other Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), or Certified in Risk and Information Systems Control (CRISC) or Certified Cloud Security Professional (CCSP) credentials or International Association of Privacy Professionals (IAPP)

Travel
1-10%

DOT Regulated
None

Job Category

Information Security

Compensation Information:

The compensation offered to a candidate may be influenced by a variety of factors, including the candidate’s relevant experience; education, including relevant degrees or certifications; work location; market data/ranges; internal equity; internal salary ranges; etc. The position may also be eligible to receive an annual bonus, commission, and/or long-term incentive plan based on the level and/or type. Compensation ranges for the position are below:

Pay Type:

Salaried

Minimum Pay Range:

$100,000.00

Maximum Pay Range:

$110,000.00

Benefits Information:

For all Full-time positions only: Ryder offers comprehensive health and welfare benefits, to include medical, prescription, dental, vision, life insurance and disability insurance options, as well as paid time off for vacation, illness, bereavement, family and parental leave, and a tax-advantaged 401(k) retirement savings plan.

Ryder is proud to be an Equal Opportunity Employer and Drug Free workplace.

All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, sex, sexual orientation, gender identity, age, status as a protected veteran, among other things, or status as a qualified individual with disability.

Security Notice for Applicants:

Ryder will only communicate with an applicant directly from a [@ryder.com] email address and will never conduct an interview online through a chat type forum, messaging app (such as WhatsApp or Telegram), or via an online questionnaire.  During an interview, Ryder will never ask for any form of payment or banking details and will never solicit personal information outside of the formal submitted application through www.ryder.com/careers.

Should you have any questions regarding the application process or to verify the legitimacy of an interview or Ryder representative, please contact Ryder at careers@ryder.com or 800-793-3754.

Current Employees:

If you are a current employee at Ryder, please click here to log in to Workday to apply using the internal application process.

Job Seekers can review the Job Applicant Privacy Policy by clicking here.