Share this Job

GRC Policy Analyst (Remote)

Date: Apr 5, 2021

Location: remote, MA, US, remote

Company: EBSCO Industries Inc

EBSCO Information Services (EIS) provides a complete and optimized research solution comprised of e-journals, e-books, and research databases — all combined with the most powerful discovery service to support the information needs and maximize the research experience of our end-users. Headquartered in Ipswich, MA, EIS employs more than 3,300 people worldwide. We are the leader in our field due to our cutting-edge technology, forward-thinking philosophy, and top-notch workforce. EIS, a division of EBSCO Industries Inc., based in Birmingham, AL, is ranked in the top 200 of the nation’s largest, privately held corporations according to Forbes magazine. EBSCO is a company that will motivate you, inspire you, and allow you to grow. We are looking for the best. If you are too, we encourage you to explore our unique opportunities.

Job Description

Located north of Boston, EBSCO Information Services (EIS) is widely recognized as the leader in providing innovative digital content delivery and the application of technology to transform the digital learning environment. EIS is searching for an GRC Policy Analyst responsible for the organization's information security policy awareness, training, and staff engagement program. Primary duties involve engaging staff across EIS with different learning modalities (interactive learning, static presentations, Key Performance Indicators, etc.) to improve security emotional intelligence (EQ) and reduce human factor cyber risk.

 

The goal of the EIS Security Awareness and Education program is to reduce information security risk by ensuring that EIS staff members understand company security policies and apply information security best practices with respect to Organization and Customer data and information technology systems. In collaboration with other members of the EIS Information Security Group, this position will manage a broad set of activities, including drafting and managing information security policies and standards, creation and delivery of training and awareness content, as well as the development and presentation of Security Key Performance Indicators (KPIs). This position will also create and manage internal website content, facilitate internal awareness marketing campaigns, collaborate with engineering staff, create timelines and infographics. The intended result of these activities is to drive the EIS Security Awareness and Education program. Responsible for evaluating effectiveness of engagement techniques and resources and implementing changes as appropriate. Awareness and/or experience with public cloud / AWS technologies is desired, but the right candidate will have an opportunity to learn and grow using the latest cloud technologies.

 

Primary Responsibilities

· Draft and maintain compliance documents (e.g. policies, standards, procedures, etc.) and support compliance training and awareness objectives (e.g., HIPAA, FERPA, GDPR, ISO27001, etc.).

· Develop and maintain an Information Security Awareness and Education program that effectively motivates desired behaviors, so our community manages data and systems in a secure manner.

· Create, maintain, and communicate a set of Security KPI/metrics framework that help achieve, observe, and measure security posture results.

· Participate in risk assessment meetings and document risk treatment activities identified.

· Help identify the top human risks to our organization and key behaviors that we need to change to mitigate those risks while adapting our engagement strategy to incorporate and address emerging technologies and risks, such as Public Cloud/AWS-specific capabilities, and use.

· Ensure that our information security awareness program clearly communicates our security policies and requirements so that people know, understand, and can follow them.

· Collaborate, prepare, and deliver InfoSec training and awareness products appropriate for EIS staff audiences. Facilitate successful social learning experiences in classroom settings (virtual and in-person).

· Promote awareness of program initiatives through the creation and maintenance of an online presence that serves as a central repository for security guidance and references.

· Maintain a current working knowledge of applicable security / privacy laws, standards/regulations, and monitor advancements in information privacy and security technologies including security best practices.

· Communicate with internal stakeholders on information security and privacy regulations as well as help review and advise on regular reviews and updates to IT policies and procedures.

· Update and participate in regular exercises for Security Incident Response.

 

Role Based Competencies:

· Comprehensive knowledge of industry standards related to ISO 27001, HIPAA, FedRAMP and GDPR.

· Ability to communicate in a simple, clear, and concise manner to the various communities within our organization (Legal, Sales, Developers, Technical/Non-technical Leaders and Product Managers). Independently writes well-structured and persuasive end products.

· Maintain a working knowledge of InfoSec risk mitigation principles and techniques in daily work.

· Knowledge of KPI and graphic data visualization technologies such as Tableau considered a plus.

· Demonstrates understanding and use of basic project management methodologies, including the ability to plan, manage and maintain a complex, organization-wide long- term program.

· Strong technical writing and interpersonal skills with ability to communicate effectively verbally and in writing with all levels within the organization, including both technical and non-technical personnel.

· Maintains passion to learn and integrate new capabilities in digital technology, such as audio, video, social media, online communities, blogs, and other web-based technologies.

· Demonstrates creative thinking and understanding of audience to produce engaging materials in a variety of formats and media, including storyboards, user guides, and gamification elements.

· Demonstrates resilience and flexibility in a rapidly changing environment to explore different strategies and achieve desired outcomes.

· Possesses a high degree of independence, integrity, and confidentiality while able to independently develop and deliver presentations and can respond to questions.

· Highly organized and able to multi-task and manage concurrent deadlines and able to effectively contribute to and lead working groups.

 

Required Qualifications

· Bachelor's Degree in technical or business discipline or equivalent experience

· 2-4 years of experience in information security governance, risk, and compliance role

 

Preferred Qualifications

· Security Governance certifications preferred (CISSP, CISM, CISA, CGEIT, CRISC)

· Experience with SharePoint, Confluence, Yammer, MS Teams, and Tableau highly desired

· Agile experience such as Scaled Agile Framework for Enterprise (SAFe) a plus, but not required.

· Experience working with a Data Privacy Program including performing and maintaining Data Protection Impact Assessments (DPIAs)

· Experience in a complex hybrid cloud environment (AWS, On-Prem)

· Experience building and deploying Information Security Programs such as Data Governance & Stewardship, and Business Continuity

· Experience in following areas preferred, but not required … Healthcare Insurance Portability and Accounting Act (HIPAA), Child Online Privacy Protection Act (COPPA), General Data Protection Regulation (GDPR), Family Educational Rights and Privacy Act (FERPA), FEDRAMP, ISO 27001, ISO 27701, and CCPA.

EBSCO Industries, Inc.is an equal opportunity employer and complies with all applicable federal, state, and local fair employment practices laws.  EBSCO strictly prohibits and does not tolerate discrimination against employees, applicants, or any other covered persons because of race, color, sex (including pregnancy), age, national origin or ancestry, ethnicity, religion, creed, sexual orientation, gender identity, status as a veteran, and basis of disability or any other federal, state or local protected class.  This policy applies to all terms and conditions of employment, including, but not limited to, hiring, training, promotion, discipline, compensation, benefits, and termination of employment.

EBSCO complies with the Americans with Disabilities Act (ADA), as amended by the ADA Amendments Act, and all applicable state or local law.

View EEO PDF


Job Segment: Engineer, Developer, Compliance, Sharepoint, Project Manager, Engineering, Technology, Legal