Reporting to the Director, IT Governance, Risk Management & Compliance, the Information Security Assurance Analyst will be responsible for managing client audit requests, responding to Information Security questionnaires, and supporting Firm Information Security certifications. The Information Security Assurance Analyst will also manage internal IT and Information Security risk assessments and help achieve regulatory compliance.
The ideal candidate is detail-oriented with strong organizational and communication skills and can facilitate timely and accurate responses to client inquiries. The candidate must be able to effectively collaborate across functions to ensure that required Information Security controls are in place, coordinate across teams to gather evidence artifacts, and craft comprehensive audit responses that align with legal and regulatory standards.
Success in this role contributes to positive client relationships, regulatory compliance, and the overall reputation of the Firm.
Manage, track, and ensure timely closure of client information security audits and serve as internal and external primary point of contact during audits
Respond to client Information Security questionnaires, including security outreach, vulnerability notifications, and responsible disclosures
Support Firm ISO 27001, ISO 27702, and ISO 22301 certifications
Participate in internal IT and IS risk assessments
Collaborate across functions and teams to gather relevant information, documentation, and evidence as needed
Communicate proactively with clients, addressing inquiries and providing updates on the status of the audit response
Develop, build and continuously update centralized repository for audit-related documentation, ensuring easy retrieval and access for future reference
Partner with the Office of the General Counsel and Firm Communications to draft client communications during security incidents
Provide guidance to IT group members and firm personnel on related policies, firm procedures, regulatory rules and compliance
Monitor legal and regulatory changes and developments; advise Director and develop appropriate strategies, corrective actions, communications.
Proactively assesses potential risks and opportunities for improvement
Develop and report on key performance indicators (KPIs) to measure the efficiency and effectiveness of the overall security assurance program
Bachelor’s degree, IT related discipline or equivalent experience
Preferred
Professional certifications, such as CISSP, CISA, CGEIT or CISM
5+ years of experience in Information Security, IT Audit, IT Risk Management, or Third-Party Risk Management
2+ years of experience working in a security assurance role Working knowledge of security control frameworks, such as ISO, SOC, NIST, COBIT, or similar
Familiar with SIG-Lite and other third-party risk assessment frameworks
Understanding of data security regulatory frameworks
Strong knowledge of technology risk management concepts and their application
Must be able to work collaboratively in a team environment
Ability to handle sensitive and/or confidential material with discretion
Excellent interpersonal skills and a professional demeanor; ability to work effectively with all levels of Firm personnel and vendors
Excellent written and verbal communication skills
Strategic thinker with strong analytical and problem-solving skills
Demonstrated project management and organizational skills, with strong attention to detail & ability to respond quickly and positively to shifting demands
Ability to manage multiple concurrent objectives or activities, and effectively make judgments in prioritizing and time allocation
NY only: The estimated base salary range for this position is $110k to $135k at the time of posting.
The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.
#LI-Hybrid
Privacy Notice
For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.
Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, protected veteran’s status or any other legally protected status. “Gender” includes actual or perceived sex, a person’s gender identity, self-image, appearance, behavior or expression, whether or not that gender identity, self-image, appearance, behavior or expression is different from that traditionally associated with the legal sex assigned to that person at birth. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.