Sr Technology Compliance Analyst I - MGT
Federal Reserve Board
Washington, DC, USA
Published 1 week ago
Compliance Management Systems / Technology
Position Description
Minimum Education
Bachelor's degree or equivalent experience
Minimum Experience
5
Summary
Guides and/or participates in the assessment of Software Development Lifecycle (SDLC) by assessing the initiation, planning, execution for production releases, contingency testing, system upgrades, and third-party software upgrades to ensure compliance with division governance, which includes FISMA, SOX, FISCAM methodologies. Leads and/or participates proposing and reviewing changes to information security policies, methodologies, approaches, RCM, guidelines, and procedures. Guides and/or participates in regular or annual financial statement audits and internal control for financial review of IT system processes and operational activities and documents findings. With some guidance, ensures the division governance model is maintained by developing test of design and test of effectiveness to assess potential risks to the financial and IT security compliance posture. Leads and/or participates in the creation of IT general controls for the purposes of auditing and monitoring.
Duties and Responsibilities
Requires technical and analytical skills typically acquired through the completion of a bachelor's degree in computer science, information technology or related discipline, or equivalent experience. A thorough knowledge of and extensive experience in system life cycle development, experience with cloud SaaS, PaaS or IaaS applications desirable. Must have at least five years of progressively responsible experience in the information security technology arena as a security analyst, Information System Security Officer (ISSO), Information system Security Manager (ISSM) or a combination of these. Experience with successfully implementing projects and working with enterprise financial systems, and FedRamp systems, strongly desired. Knowledge of audit log reviews, developing ad hoc security related reporting based on results of continuous monitoring required. Strong team-oriented interpersonal and communication skills required, as is a demonstrated commitment to a strong customer service philosophy. Ability to effectively communicate with technical personnel, customers, and management mandatory. Possess clear, concise and effective verbal and written communication and project management skills needed for functioning in an unstructured matrix management environment. CISSP or CISA is strongly desired.
In addition to the above requirements, the FR-27, the Senior Technology Compliance Analyst II, must have at least six years of progressively responsible experience in the information technology arena as a developer/programmer, security analyst, IT manager, business analyst, system administrator or a combination of these. Experience with leading and successfully implementing high visibility projects desired.
The following specific experience is strongly desired
• Experience with implementing IT Security or internal/external auditing of financial applications
• Experience with evaluating cloud internal controls reports, SOC-1 and SOC-2
• Simultaneously works on several complex assignments requiring analysis of control applicability and evaluation of control gaps for financial systems.
• Experience with leading financial IT audits and successfully developing audit and security related system documentation to reduce risk and meet control requirements desired.
• Experience in developing a Risk Control Matrix, Test of Design and Test of Effectiveness (TOD/TOE)
• Work independently and meet deadlines for assigned tasks
• Experience with assessing IT systems leveraging NIST, SOX, FISCAM, FedRamp, and FISMA Compliance strongly desired.
• Experience with developing and managing SOPs and system related documentation
• Experience with reporting IT risks to management
• Experience with participating and reviewing governance process and policy documents respectively, i.e. CCB (Change control board), ARB (architectural review board), etc.
This position is hybrid, requiring a combination of telework and an in-office presence in Washington, DC.
Minimum Education
Bachelor's degree or equivalent experience
Minimum Experience
5
Summary
Guides and/or participates in the assessment of Software Development Lifecycle (SDLC) by assessing the initiation, planning, execution for production releases, contingency testing, system upgrades, and third-party software upgrades to ensure compliance with division governance, which includes FISMA, SOX, FISCAM methodologies. Leads and/or participates proposing and reviewing changes to information security policies, methodologies, approaches, RCM, guidelines, and procedures. Guides and/or participates in regular or annual financial statement audits and internal control for financial review of IT system processes and operational activities and documents findings. With some guidance, ensures the division governance model is maintained by developing test of design and test of effectiveness to assess potential risks to the financial and IT security compliance posture. Leads and/or participates in the creation of IT general controls for the purposes of auditing and monitoring.
Duties and Responsibilities
- Leads and/or participates in the review and maintenance of Sarbanes-Oxley (SOX) risk control matrices (RCM), test results, and remediation logs. Guides and/or participates in the assessment of Software Development Lifecycle (SDLC) by assessing the initiation, planning, execution for production releases, contingency testing, system upgrades, and third-party software upgrades to ensure compliance with division governance, which includes FISMA, SOX, FISCAM, and FEDRAMP methodologies. Follows change control, audit log review, contingency, separation of duties, and access control procedures to support FISMA, financial statement audits, and SOX compliance for all IT development projects including assisting with maintaining and evaluating governance documents to support these activities . Advises leadership on compliance, information security, and internal controls.
- Guides and/or participates in effectively communicating policies and procedures to the division and advises on solutions to correct weaknesses. Leads and/or participates in evaluating, proposing, and reviewing changes to governance and key controls related to financial compliance and information security policies, methodologies, approaches, guidelines, and procedures. Ensures compliance with the Board Internal Controls over Financial Reporting and the Board Information Security Program.
- Has advanced knowledge of applicable IT compliance standards, governing standards, and IT audit frameworks. Guides and/or participates in regular or annual financial statement audits and internal control for financial review of IT system processes and operational activities and documents findings.
- Applies advanced project management methodologies, including using project management software/s to track all work, resolutions, and manage one or more tasks at a time.
- Leads and/or participates in the analysis of current business architecture to identify weaknesses and develop opportunities for improvements. Guides and/or participates in the review of existing business processes and establishes metrics to improve processes.
- Has advanced knowledge of the client's strategies, functions, issues, and relationships that drive day-to-day operations, decisions, and workforce dynamics. Leverages this knowledge to better meet the client's business needs and requirements.
- Leads and/or participates in the creation of IT general controls for the purposes of auditing and monitoring. Guides and/or participates in the design and testing of internal reviews and management of external audits to identify findings and support remediation activities. Works with auditors and security groups to ensure adherence to governance, regulations, and compliance with policies and procedures (e.g., FISMA, SOX, COBIT, FISCAM, ISACA, etc.).
- Represents the division on major technology compliance matters within the Board and interacts with auditors.
Requires technical and analytical skills typically acquired through the completion of a bachelor's degree in computer science, information technology or related discipline, or equivalent experience. A thorough knowledge of and extensive experience in system life cycle development, experience with cloud SaaS, PaaS or IaaS applications desirable. Must have at least five years of progressively responsible experience in the information security technology arena as a security analyst, Information System Security Officer (ISSO), Information system Security Manager (ISSM) or a combination of these. Experience with successfully implementing projects and working with enterprise financial systems, and FedRamp systems, strongly desired. Knowledge of audit log reviews, developing ad hoc security related reporting based on results of continuous monitoring required. Strong team-oriented interpersonal and communication skills required, as is a demonstrated commitment to a strong customer service philosophy. Ability to effectively communicate with technical personnel, customers, and management mandatory. Possess clear, concise and effective verbal and written communication and project management skills needed for functioning in an unstructured matrix management environment. CISSP or CISA is strongly desired.
In addition to the above requirements, the FR-27, the Senior Technology Compliance Analyst II, must have at least six years of progressively responsible experience in the information technology arena as a developer/programmer, security analyst, IT manager, business analyst, system administrator or a combination of these. Experience with leading and successfully implementing high visibility projects desired.
The following specific experience is strongly desired
• Experience with implementing IT Security or internal/external auditing of financial applications
• Experience with evaluating cloud internal controls reports, SOC-1 and SOC-2
• Simultaneously works on several complex assignments requiring analysis of control applicability and evaluation of control gaps for financial systems.
• Experience with leading financial IT audits and successfully developing audit and security related system documentation to reduce risk and meet control requirements desired.
• Experience in developing a Risk Control Matrix, Test of Design and Test of Effectiveness (TOD/TOE)
• Work independently and meet deadlines for assigned tasks
• Experience with assessing IT systems leveraging NIST, SOX, FISCAM, FedRamp, and FISMA Compliance strongly desired.
• Experience with developing and managing SOPs and system related documentation
• Experience with reporting IT risks to management
• Experience with participating and reviewing governance process and policy documents respectively, i.e. CCB (Change control board), ARB (architectural review board), etc.
This position is hybrid, requiring a combination of telework and an in-office presence in Washington, DC.