The Information Risk Management Analyst position is responsible for supporting IT and information management risks relating to CDW information and information systems. This position assists Information Risk Management (IRM) managers to ensure required audit and regulatory controls and processes relevant to CDW information and information systems are adequately designed, implemented and performed. Additionally, this position will assist IRM managers with executing information management programs and processes to minimize risks to an acceptable level.
Key Areas of Responsibility
- Assist in coordinating efforts to ensure IT controls are appropriately executed resulting in Sarbanes-Oxley (SOX) and Business Process Assurance (BPA) compliance.
- Support remediation of PCI DSS, SOX and all other regulatory observations identified and reported by BPA or external auditors.
- Research and provide recommendations for improving the effectiveness and efficiency of IT and information risk and compliance activities.
- Gather data to prepare IT risk and information management metrics and reporting.
- Serve as IT liaison to BPA or external auditors by prescreening requests and responses for completeness and accuracy.
- Perform tasks associated with Information Security policies and procedures development and updates.
- Participate in IT control monitoring programs to ensure IT compliance-related risks are managed to the level of acceptable risk.
- Support the development of IT knowledge repository for IT risk and compliance-related materials and resources including IT controls, policies, procedures and standards.
- Perform basic information management operations in accordance with established information management procedures.
- Respond to Coworker information management questions or escalate appropriately.
- Assist with the preservation and collection of Business Records under Legal Hold.
- Contribute to the development of the information management programs and awareness campaigns.
- Help coordinate and execute annual record clean-up days.
- Gain understanding of business processes, business control processes, risk management, IT controls and related standards.
- Achieve understanding of complex business and information technology management processes.
- Develop understanding around established Information Management procedures.
- Identify internal controls which mitigate risks and related opportunities for internal control improvement.
- Conduct analysis and research to understand the broader risk impact of current decisions.
- Use technology-based tools or methodologies to review, design and/or implement processes and internal controls.
- Communicate appropriately to all levels across the organization both verbally and in writing.
- Provide timely status updates on progress to manager.
- Draft communications appropriately for Information Management tasks.
Other Required Qualifications
- Knowledge and understanding of information risk concepts and principles as a means of relating business needs to controls
- Ability to collaborate and interact directly with IT coworkers and other personnel across the business and build strong relationships at all levels
- Good analytical, conceptual and problem-solving skills
- Excellent technical writing skills with strong attention to detail
- Effective communication (verbal and written), interpersonal and presentation skills
- Ability to create high quality deliverables with limited supervision
- Strong organizational and time management skills to prioritize and assist in the execution of tasks in a high-pressure environment
- Proficiency with Microsoft Office applications such as Excel, Word, PowerPoint, Visio, etc. and ability to learn new tools and technologies relevant to the position
- Knowledge of PCI, SOX IT General Controls, HIPAA or other regulatory standards
- Understanding of Enterprise Risk Management, IT Risks and/or Information Management
- Experience researching, supporting and facilitating development of Information Security policies, procedures, standards and guidelines
- Knowledge of application / system architecture, including the system development lifecycle
- CISA, CISSP, ISA, PCIP, IGP or CRM designation
- Responsive and alert to new learning and research concepts, ideas, and technologies