Location: Washington, D.C.
The Senior Information Risk and Compliance Analyst is responsible for supporting the Information Security and Compliance Department on all information security and compliance-related policies, standards, and practices across Sirius XM.
Duties and Responsibilities:
- Supports the organization's Information Risk and Compliance programs including SOX, PCI, ISO, and other programs by conducting control testing, risk mitigation and evidence validation, and remediation tracking in accordance with COBIT, ISO, and regulatory standards and policies; report issues and operational loss events.
- Reviews and monitors the development, implementation, and maintenance, of projects and plans related to information security and information security administration that support Information Risk and Compliance activities. Consults on the design and implementation of security features and protocols through the configuration and change management process, and identifies information security gaps or requirements and impacts resulting from system changes and/or modifications and assist with remediation activities.
- Performs information security risk analyses for the corporate network infrastructure including telematics, and other advanced technology environments by performing threat and vulnerability assessments, and analyzing threats and vulnerabilities to determine organizational impact and risk mitigation strategies to assist the organization in protecting information systems and other resources from known and potential threats.
- Partners with Information Security leads throughout the enterprise to identify information security risks, classify and prioritize those risks, implements controls to reduce or eliminate risks and ensure adherence to corporate information security policies and standards, and assist in the conduct of software security assessments, and security and vulnerability assessments.
- Acts as the subject matter expert on legal and regulatory requirements as it pertains to SOX, PCI, information security, information risk, privacy and other applicable laws and standards and works to align internal and external processes and procedures to these requirements. Monitors activities of assigned area(s) within the enterprise to ensure compliance with applicable internal controls policies and procedures and external laws and regulations.
- Designs and manages the Vendor Information Risk Management Program, including maintaining an inventory of third parties who have access to the information technology environments, conducts security and compliance due diligence reviews, and maintains compliance documentation.
- Bachelor's degree or equivalent, relevant experience.
- Minimum of 5 years of experience in risk and compliance.