Sr. Technology Risk & Compliance Analyst

The Sr. Technology Risk and Compliance Analyst is responsible for oversight of the firm’s data security compliance and risk assessment programs used to support information security, ensure privacy, and facilitate data governance. Reporting to the Director, IT Governance, Risk Management & Compliance, this role serves as the firm’s compliance subject matter expert, performing risk assessments (internal and external) monitoring systems for potential risks; supporting client requests, and evaluating and recommending technologies.

Strong knowledge of industry regulations, risk assessment methodologies, and information security frameworks are essential. Additionally, communication skills are crucial for explaining complex compliance requirements to both technical and non-technical stakeholders.

• Manage the firm’s ISO 27001, ISO 27701 and ISO 27017 Information Security Management Programs, ensuring compliance with the relevant standards
• Manage and respond to client audits and assessments in a timely manner, meeting compliance with client standards, preparing necessary documentation, coordinating with internal teams, and implementing corrective actions as needed
• Manage risk register with audit gaps (findings) and ensure timely resolutions
• Develop and maintain an answer repositories, ensuring accuracy and consistency while updating as necessary based on industry changes, client requirements, and internal enhancements
• Assist with review and responses to outside counsel guidelines, interfacing with various teams as necessary to ensure compliance
•   Stay updated on relevant regulations and standards, ensuring the organization's adherence to them
•   Assist with comprehensive risk assessments to identify potential vulnerabilities in technology systems and processes
•   Create and maintain detailed documentation related to risk assessments, compliance activities, and security measures. Prepare reports for internal and external stakeholders.
• Monitor legal and regulatory changes and developments; advise the Director and develop appropriate strategies, corrective actions, communications
• Provide guidance to IT group members and firm personnel on related policies, firm procedures, regulatory rules and compliance
• Proactively assesses potential risks and opportunities for improvement.
• Understand the role of systems and technology within the firm and promote a culture of information security risk & compliance across all business units.
• Assist with the firm’s 3rd party vendor risk management program; make recommendations for enhancements/ improvements as appropriate.
• Perform other duties as assigned.

REQUIRED  

• Bachelor’s degree, IT-related discipline

Preferred

• Professional certifications, such as CISSP, CISA, CISM, or CRISC

REQUIRED  

• 8+ years of experience in GRC / Information Security responsibilities
• Experience with ISO 27001 /ISO 27701 control frameworks, SIG-Lite Risk Assessments
• Proficient knowledge of security implications involving a variety of technologies including but not limited to; Microsoft, Cisco, Unix/Linux, and other market leaders in technology solutions, including mobile devices
• Demonstrated knowledge of the global data security regulatory environment
• Strong knowledge of technology risk management concepts and their application
• Must be able to work collaboratively in a team environment and independently
• Ability to handle sensitive and/or confidential material with discretion
• Excellent interpersonal skills and a professional demeanor; ability to work effectively with all levels of Firm personnel, vendors and clients
• Excellent written and verbal communication skills, ability to communicate clearly and concisely
• Strategic thinker with strong analytical and problem-solving skills
• Demonstrated project management skills, organizational and execution skills with strong attention to detail
• Ability to manage multiple concurrent objectives or activities, and effectively make judgments in prioritizing and time allocation.
• Must be flexible in order to respond quickly and positively to shifting demands

PREFERRED  

• Industry certifications (for example CISSP, CISM, CISA or CRISC)
• 5+ year experience in information security risk management or governance role
• Experience in a law firm environment a plus

Salary Information

Privacy Notice

For information about how Simpson Thacher & Bartlett LLP collects and processes your personal information, please refer to our Privacy Notice available at https://www.stblaw.com/other/privacy-notice.

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, protected veteran’s status or any other legally protected status. “Gender” includes actual or perceived sex, a person’s gender identity, self-image, appearance, behavior or expression, whether or not that gender identity, self-image, appearance, behavior or expression is different from that traditionally associated with the legal sex assigned to that person at birth. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.