IT Risk Assessment Professional

Job Description

This position drives ITRM process and/or methodology for designated ITRM initiatives by leading or directing team members in the documentation of process and/or service requirements and guiding and influencing leadership in the development of the ITRM strategy. This role partners with leadership to help define goals, objectives, deliverables, and guardrails within the governance framework to ensure the development and implementation of efficient, effective, measurable, and sustainable ITRM processes and controls. This role also executes and plans ITRM compliance assessments, drives and manages the design and implementation of appropriate controls, and manages large-scale ITRM service delivery and engagements from planning to completion, including financials

Essential Responsibilities                                                                         

• Conducts or oversees business-specific projects by applying deep expertise in subject area; promoting adherence to all procedures and policies; developing work plans to meet business priorities and deadlines; determining and carrying out processes and methodologies; coordinating and delegating resources to accomplish organizational goals; partnering internally and externally to make effective business decisions; solving complex problems; escalating issues or risks, as appropriate; monitoring progress and results; recognizing and capitalizing on improvement opportunities; evaluating recommendations made; and influencing the completion of project tasks by others.
• Practices self-leadership and promotes learning in others by building relationships with cross-functional stakeholders; communicating information and providing advice to drive projects forward; influencing team members within assigned unit; listening and responding to, seeking, and addressing performance feedback; adapting to competing demands and new responsibilities; providing feedback to others, including upward feedback to leadership and mentoring junior team members; creating and executing plans to capitalize on strengths and improve opportunity areas; and adapting to and learning from change, difficulties, and feedback.
• Drives ITRM processes and/or methodology for designated ITRM initiatives by leading or directing team members in the documentation of process and/or service requirements and acceptance criteria from process owners and key stakeholders; guiding and influencing leadership in the development of the ITRM strategy; partnering with leadership to help define goals, objectives, deliverables, and guardrails within the governance framework to ensure the development and implementation of efficient, effective, measurable, and sustainable ITRM processes and controls; and collecting, analyzing, and reporting performance metrics using company software and reporting tools.
• Executes and plans ITRM compliance assessments and consulting projects by leading intake, planning and coordination activities for new or revisions to technology systems or services; and driving and managing the design and implementation of appropriate controls through the sustainment phase.
• Manages large-scale ITRM service delivery and engagements from planning to completion by managing multiple workstreams, including stakeholder communications and team mentorship; and managing and monitoring financials for assigned initiatives.                                                      

Minimum Qualifications                                                                              

• Minimum four (4) years in an informal lead role working with business or technical teams.
• Bachelor’s Degree in MIS, Information Security, Accounting, Finance, Audit, or related field and Minimum eight (8) years experience in IT risk management, compliance, auditing, or information security. Additional equivalent work experience in a directly related field may be substituted for the degree requirement.
• Four (4) years of experience as a lead IT controls assessor
• Four (4) years of experience interviewing stakeholders on IT controls implementation in a large enterprise, including cloud technologies such as but not limited to Microsoft Azure.
• Four (4) years of experience in performing assessments and documenting the applicability and effectiveness of controls on large scale enterprise software implementations.
• Four (4) years of experience in gap analysis and developing actionable findings derived from IT control assessments
• Three (3) years’ experience working with database and security technologies.

Additional Requirements                                                                           

• Responsible for managing and supporting enterprise level assessments on strategic initiatives with an emphasis on HIPAA and some PCI.  Examples of strategic initiative assessments include KP’s move to Azure and KP’s Databricks Data Analytics platform.
• Manages and assists in strategic initiative assessments in addition to performing multiple smaller scale assessments at one time.
• Perform multiple assessments simultaneously and as a result, a typical day would consist of performing multiple phases (scoping, fieldwork, reporting, management response) of different assessments.
• Serve as the Controls Integration Services Team’s representative on control methodology efforts and GRC tooling efforts.
• Serve as a representative for Controls Integration Services on TRM and TRO Process discussions.
• Serve in a controls design/architect capacity if that service is needed by the system owner.

The Ideal candidate experience and qualifications include:

• Experience in managing large scale assessments on enterprise level strategic initiatives.
• Experience in controls methodology.
• Experience in GRC tooling initiatives.
• Experience in controls design/architecture work as well as controls assessments.
• Experience with risk / control frameworks / standards: NIST SP 800-53, NIST CSF, HITRUST, etc.
• Ability to lead and facilitate end to end risk assessments (Scoping, Planning, Kickoff, Fieldwork, Reporting, Management Response)
• Experience assessing cloud technologies
• Experience in PCI assessing and consulting
• Technical writing that effectively communicates security and compliance concepts and issues in a manner that is understood by non -technical audiences.

Licenses and Certifications                                                                                       

One or more of the following certifications are preferred but not required:

• CISM
• CISA
• CRISC
• CISSP
• CCSP                                                        

Preferred Qualifications                                                            

• Two (2) years of work experience in a role requiring interaction with executive leadership (e.g., Vice President level and above)
• Four (4) years experience writing ITRM documentation and assessment reports.
• Two (2) years developing IT compliance frameworks or ITRM methodologies.
• Two (2) years managing audit and/or compliance projects.
• Four (4) years experience working in a large matrixed organization.
• Two (2) years experience in the development and delivery of ITRM metrics and reporting.
• Bachelor’s Degree in MIS, Information Security, Accounting, Finance, Audit, or related field.
• CISSP or comparable certification
• CISM or comparable certification.
• CISA or comparable certification.
• QSA or ISA certification.
• PMP certification.
• ITIL certification.
• DBMS certification.
• Four (4) years experience working with IT general controls (e.g., IT change management, access controls, security controls, etc.).
• Four (4) years experience working with database and security technologies

Benefits

• Transportation.
• Life insurance.
• Medical insurance.
• Solidarity association.
• Growth plans.
• Additional days off.    

K5