Local/Hybrid GRC Analyst with Governance/Risk/Compliance, information security experience

Job ID: CT-Governance, Risk and Compliance Analyst (98591031)

Local/Hybrid GRC Analyst with Governance/Risk/Compliance, information security experience

Location: Hartford CT (CJIS)
Duration: 12 months

Minimum Qualifications
Five years of advanced IT skills with a high level of information security experience and expertise
Knowledge of information security risk management frameworks and compliance practices.
Knowledge of securing network technologies, client, and server operating systems.
Ability to develop security standards and guidelines based on best practices and industry standards
Experience responding to, analyzing, and communicating information security incidents
Five years of planning and managing security projects
Excellent interpersonal, communication, and presentation skills, including formal report writing experience
Understanding common security standards and regulations (e.g., industry standards such as NIST Cyber Security Framework).
Prefer well versed with laws affecting the criminal justice environment in the following areas:
Information systems
Criminal justice agencies
Privacy and confidentiality
Compliance/audits
Federal/State Regulations

Preferred Qualifications
Bachelor’s degree in (Science, Technology, Engineering, Math) STEM field, or non-STEM field with demonstrated ability to manage complex business processes and technology. College credits combined with certifications by a qualified university may be considered in lieu of a BS degree.
Business Process Management, including lean or six sigma training
Information security experience in state/local government
Skills in documenting risk and compliance activities
Information security-related training or certifications such as CISSP or CRISC
Experience performing information security audits or risk assessments
Familiarity with security auditing processes
Familiarity with dashboard creation
Prefer have an understanding of criminal justice information systems and public sector data governance

SCOPE OF WORK
The Governance, Risk, and Compliance (GRC) Analyst is responsible for assessing and documenting the CJIS GB ‘s compliance and risk posture as they relate to its information assets.

This position aims to provide highly skilled technical and information security expertise for developing and implementing the information security risk management program, compliance with regulatory controls, and policy management. Responsibilities require leadership and project management experience, as well as expertise to ensure practical system-wide security analysis, intrusion detection; standards and testing; risk assessment; awareness and education; and development of policies, standards, and guidelines. Additional duties pertaining to data governance will also be assigned for maintenance of the CJIS data dictionary.

Reporting position: The GRC Analyst reports to the CJIS Executive Director but will also take direction from the CJIS Program Manager and work collaboratively with CJIS project managers, solutions architect for hardware/software security solutions, and peers at other agencies in support of audits and other cyber-related activities.

Specific Services Required

Leadership
Perform other duties as assigned to ensure the department’s smooth functioning and maintain the organization’s reputation as a viable business partner.
Recommend programmatic and technical directions and operate with a high degree of independence in matters relating to the investigation, impact, and analysis of security incidents, risk decisions, and computer and network security measures.
Operate with a high degree of independence concerning project management activities, including developing security-related project plans and budget/resource estimates.

Minimum Qualifications
Five years of advanced IT skills with a high level of information security experience and expertise
Knowledge of information security risk management frameworks and compliance practices.
Knowledge of securing network technologies, client, and server operating systems.
Ability to develop security standards and guidelines based on best practices and industry standards
Experience responding to, analyzing, and communicating information security incidents
Five years of planning and managing security projects
Excellent interpersonal, communication, and presentation skills, including formal report writing experience
Understanding common security standards and regulations (e.g., industry standards such as NIST Cyber Security Framework).
Prefer well versed with laws affecting the criminal justice environment in the following areas:
Information systems
Criminal justice agencies
Privacy and confidentiality
Compliance/audits
Federal/State Regulations

Preferred Qualifications
Bachelor’s degree in (Science, Technology, Engineering, Math) STEM field, or non-STEM field with demonstrated ability to manage complex business processes and technology. College credits combined with certifications by a qualified university may be considered in lieu of a BS degree.
Business Process Management, including lean or six sigma training
Information security experience in state/local government
Skills in documenting risk and compliance activities
Information security-related training or certifications such as CISSP or CRISC
Experience performing information security audits or risk assessments
Familiarity with security auditing processes
Familiarity with dashboard creation
Prefer have an understanding of criminal justice information systems and public sector data governance

Risk
Lead the development and implementation of the system-wide risk management function of the information security program to ensure information security risks are identified and monitored.
Internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the CJIS GB information and technology systems.

Policy/Compliance
Lead the CJIS system-wide information security compliance program, ensuring IT activities, processes, and procedures meet defined requirements, policies, and regulations.
Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
Execute strategy for dealing with the increasing number of audits, compliance checks, and external assessment processes for internal/external auditors, e.g. specs FBI CJISD-ITS-DOC-08140-5.9, CT CJIS Security Policy v1.

Data Governance
Working with CJIS PMs and Business Analysts, oversees management of the CJIS Data Dictionary and Information Exchange Package Documentation (IEPD) inventory. This will also require coordination with other agencies from time to time.
Outreach/Awareness

Interacts in both oral and written communications with all levels of System staff, including; data center staff, developers and other CJIS staff, other agency technical staff, general counsel, auditors, and all System staff and technology vendors and contractors, in matters related to information security and security awareness materials.
Audit

Work with Internal Audit, and outside consultants as appropriate on required security assessments and audits
Coordinate and track all information technology and security-related audits, including the scope of audits, colleges/units involved, timelines, auditing agencies, and outcomes. Work with auditors to keep audit focus on scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation, and advocacy on audit responses.
Problem-Solving Skills

Assess computer hardware, software, and systems for security risks or violations and work with staff, and technology vendors to recommend solutions. Develop strategies to address awareness and training for all stakeholders and technical solutions. Must be able to assess the status of complex multi-location projects and identify and implement appropriate corrective measures to resolve issues as they arise. Must have a strong customer service orientation and the ability to project that attitude to customers in remote locations.

CT_E-RTR.doc