The Security Compliance department identifies and manages the key Information Security risks within EY. The department owns the Compliance Program that manages identified non-conformity events to existing policies, monitors and reports on the effectiveness of IT controls, and performs root cause analysis to identify systemic or process weaknesses that may affect the firm’s information security posture. Our primary goal is to defend against internal and external threats and protect client and enterprise confidential data. This goal is balanced against various business goals and objectives, helping to protect the firm and its clients in a cost effective way.
The Compliance Specialist will contribute to the evolution of EY’s Compliance program. The Compliance Specialist is also responsible for the day-to-day activities as they relate to the security compliance program and follow-up activities. The Compliance Specialist is aligned functionally within the organization and therefore is responsible for advising others on the compliance process and increasing awareness of security within their area of responsibility.
Essential Functions of the Job:
- Conducts security compliance program activities as specified in the information security policy to assess compliance with EY’s policies, standards and procedures
- Keeps track of security deficiencies through the documentation of findings, monitoring the follow through of the remediation, and validates closure to increase the security maturity of the security program and reduce overall risk
- Reports on metrics to gauge effectiveness of the security policy framework and publish periodic metrics report
- Analyzes the data contained within the compliance system and other security information repositories to identify security trends, root causes and notable risks.
- Advises others, helping to enhance and improve their understanding of information security and its importance to EY.
- Advises managers and other leaders concerning the overall status of the function’s compliance findings and associated remediation plans and exceptions.
- Documents security findings, remediation plans and exception requests in a clear and concise manner
- Identifies what is needed to validate remediation has been successful
Analytical/Decision Making Responsibilities:
- Demonstrated integrity and judgment, tact and decision making ability within a professional environment
- Demonstrated ability to think creatively while accounting for multiple perspectives in any given scenario
- Ability to appropriately balance firm security needs with business impact & benefit
- Ability to recognize patterns in structure and unstructured data and to draw appropriate connections between seemingly disparate pieces of information
- Flexibility to adjust quickly to multiple demands, shifting priorities, ambiguity, and rapid change.
- Must be able to work independently and with minimal direct supervision
- Directs the progress of project work assigned to team members, and report status to management
- Evaluates, counsels, mentors and provides feedback on performance of team members
- Plans the training and development of team members to develop their skills and maintains state-of-the-art knowledge in information security
Technical Skills and Understanding of Risk Management/ISO 31000:
- Experience with data analytics tools like SAS or Spotfire will be preferred
- Maintain awareness of the current security threat landscape
- An overall understanding of the business objectives and security challenges within the different Service Lines within the organization
- Ability to team well with others to facilitate and enhance the understanding and compliance to security policies
- Some programming experience will be beneficial, though not required
Minimum of five years related IT work experience
Three or more years of experience in the Information Security field
Three or more years in an IT networking role • Experience in solution design and development or within an infrastructure operations organization supporting LAN/WAN’s
Experience advising and communication with clients and vendors in relation to security policies
Demonstrated sound judgment, tact, and decision-making ability
Good management, interpersonal, communication, organizational, and decision-making skills
Ability to understand and integrate cultural differences and motives and to lead cross cultural teams
Strong English language skills, written and verbal, are required
An advanced degree in Computer Science or a related discipline, or equivalent work experience
Candidates with one of the following or equivalent certifications will be preferred:
Certified Information Systems Security Processional (CISSP), Global Information Assurance Certification (GIAC),