Manages and coordinates professional work examining, evaluating, and/or monitoring conformity with laws, regulations, information security, privacy or other business standards. Supervises others in compliance activities.
This class is intended for journey-level management of professional risk management and compliance activities in a state agency. Participants in this class may manage risk management and compliance activities in a unit or department.
Oversees and conducts risk management activities (e.g., risk assessment, gap analysis, business impact analysis) to identify current and future threats and to help the organization reach an acceptable level of risk. Plans, organizes and directs regulatory enforcement activities to ensure that all applicable statutes, rules, and regulations are met. Implements processes, standards and baseline thresholds for measurement, monitoring, reporting, mitigation and remediation of identified risks. Assists in the establishment and maintenance of the agency’s information security program and associated strategies to support the business processes and overall goals of the organization. Enforces security requirements during the design, development, testing and delivery of information systems to confirm that organization assets are appropriately secure at all times against risks and threats. Establishes and maintains internal and external communication channels to support information security across the organization. Supports the development and review of the organization’s governance, risk, and compliance (GRC) strategy that aligns the business, information technology and governance model. Supports the maintenance of the information security framework by updating controls in conjunction with regulatory requirements. Works with Information security and other management to monitor the effectiveness of the organization’s GRC processes. Supports the organization’s transition to a GRC platform for tracking risks due to non-compliance, information security and privacy control adoption and monitoring for implementation of security controls. Collaborates with management to leverage existing technology investments to support the GRC program Provides support to maintain collaboration among departments across the organization. Supports training deployment to raise GRC program awareness across the organization. Performs research in GRC technology, processes updates, and best practices, and advises management on adoption to improve GRC capabilities. Assists in the development of reports and dashboards to present the level of controls compliance and the current IT risk posture.
Knowledge of applicable internal and/or external regulatory policies, standards, procedures and controls. Knowledge of governance, risk and compliance (GRC) program management. Understanding of risk assessment process, monitoring, and reporting. Ability to apply information security principles to business solutions. Ability to act as liaison and effectively communicate information security topics (e.g., data constraints, information needs) to both technical and non-technical audiences at all levels of the organization. Knowledge of developing and managing an information security program, including its policies, standards, procedures, technologies, and controls. Knowledge in identifying and managing information security risks, threats, and incidents at an enterprise level.
A bachelor’s degree and relevant experience.