GRC Security Policy Analyst

Job ID:
Chicago, IL
Information Technology, Telecommunications, Array
$115,000.00 per year
Zip Code:
Employment Type:
Full time

Job Description:

Prestigious Global Firm is currently seeking a GRC Security Policy Analyst. Candidate will join a Governance, Risk Compliance team, and act as a subject matter expert for Information Security. Candidate will perform risk management functions within the Security Governance department.


Serve as a subject matter expert for Information Security, consulting to technical management (serving on project teams, discussing application and systems architectures, etc), non-technical management (educating the user community on information security) and attorneys (eg litigation-related technical education) as necessary.

Manage and support GRC technology and Security Governance solutions. Create and maintain system, procedural and support documentation.

Manage and support the 3rd Party Security Vendor Risk Management program and life cycle.

Document and perform Risk Assessments for third-parties (eg, vendors and service providers). Respond to security assessments, questionnaires and audits from clients and third-party business partners.

Create and maintain security policies, standards, processes and guidelines for approval by Firm management. Evaluate exception requests and make approval recommendations to management.

Security Awareness: assist in coordination of the program, including development of awareness content, scheduling of awareness activities and measuring progress of the program.

Vulnerability Management: collect information on emerging threats including software vulnerabilities. Coordinate triage of and response to vulnerability information. Disseminate this information regularly to firm staff and management as appropriate.

Participate in long-term strategy and planning for Information Security


Preferred candidate will have one or more of the following certifications:

Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications

GRC tool management: Administration, Engineering or both

Ability to perform as primary Security SME.

Ability to facilitate project and vendor risk assessments with relative independence and provide guidance on secure design and operation.

Ability to complete and assist in completing client security questionnaires and security assessments concerning the Firm's security program and controls.

Ability to communicate an effective security awareness message throughout the organization.

Demonstrate ability to create and maintain security policy, standard, guideline and procedure documents.

Demonstrate ability to effectively communicate deeply technical topics at an appropriate level of detail to varied audiences - including IT Subject Matter Experts, senior management and non-technical users

Strong knowledge on Security frameworks and technologies such as ISO 27001, NIST, SOC, SIG

Experience (Administration or Engineering) in GRC platforms

Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options.

Strong knowledge of risk management principles and practices.

Strong knowledge of security administration and role-based security controls.

Strong knowledge and use of GRC platforms.

Knowledge of host and network-based anti-malware technologies.

Knowledge of authentication technologies and interactions between diverse authentication platforms, both on-site and remote.

Knowledge of client and server Firewalling technologies, including configuration and administration.

Knowledge of Intrusion Detection and Prevention solutions, including configuration and administration.

Knowledge of security event management (SIEM), event correlation and analysis technologies.

Knowledge of data encryption technologies.

Strong knowledge of Intrusion Detection and Intrusion Prevention technical capabilities.

Knowledge of web filtering and email SPAM prevention techniques.

Knowledge of vulnerability assessment and forensic investigations tools.

Knowledge of mobile device security and Mobile Device Management solutions

Knowledge of Privileged Access Management technologies


Windows Authentication and Active Directory integration

Anti-Malware and AEP technologies


Security Incident and Event Management

Web Filtering



Vulnerability management tools

Mobile Device Management

Privileged Access Management

Company Info
Request Technology - Craig Johnson