Goverance, Risk & Compliance Analyst

The Information Technology Governance, Risk and Compliance Analyst is responsible for assessing and prioritizing risks for cyber security and data protection across the organization while helping Teknion meet its compliance obligations.      The incumbent supports the risk mitigation efforts through conducting risk assessments, establishing and maintaining governance and compliance standards, creating, communicating, and enforcing information security/confidentiality policies and processes and providing recommendations on risk treatment strategies.

The incumbent executes and administers security solutions/systems consistent with regulations and established frameworks and may lead relevant implementation projects and is also responsible for promoting cybersecurity awareness throughout the company.

You will be leveraging a security and compliance automation platform (Drata) that continuously monitors and collects evidence of the company’s security controls while streamlining workflows to ensure audit readiness. The Drata platform also provides a Trust Centre (manage and publish Teknion’s security posture), Vendor Risk Management (identify and monitor vendor risk) and Audit Hub (create a centralized audit communication center). Additional tools / solutions may be utilized over time.    

Governance 

1. Develop, implement, enhance and communicate security governance framework including policies, standards and procedures across the organization;
2. Define and operationalize data classification standards to classify and label data and files and define security controls baseline for classified data;
3. Collaborate with Information Technology and the business to ensure that appropriate controls are designed   & operating effectively following the corporate policies. Conduct periodic internal audits / self assessments where applicable;
4. Monitors activities impacted by regulatory requirements related to the organization’s governance and any location specific laws and implements changes to compliance processes due to these new or amended regulations;
5. Must be trustworthy in keeping sensitive data confidential.

Risk

1. Responsible for conducting comprehensive security risk assessments of new and existing information systems, networks and infrastructure, and third parties to identify potential risks & vulnerabilities;
2. Responsible for managing and monitoring Teknion’s risk register to ensure risks are actioned in a timely manner when required.
3. Present Governance, Risk and Compliance metrics to the Cyber Risk team and business leaders to ensure they are aware of risks and corresponding obligations (e.g., treatment plans, controls, processes, etc.);
4. Recommend controls to mitigate / treat security and data protection risks identified through the risk assessment process and communicate risk findings that are clear and actionable to relevant stakeholders.

Compliance

1.  Evaluate and benchmark Teknion’s cybersecurity capabilities in line with NIST and ISO frameworks, develop plans to prioritize actions and investments required to improve capabilities to best practices;
2. Utilizes established internal controls and audits systems (Drata) to identify, detect and correct noncompliance;
3. Accomplish & eventually spearhead a team to perform the necessary analysis to deliver all the required evidence to support compliance audits;
4. Provide support during certifications & assessments conducted by third parties;
5. Design and document technical, administrative, and physical controls to ensure the business demonstrates compliance, ensuring that Teknion meets both the requirements and intent of its compliance obligations;
6. Monitors activities impacted by regulatory requirements related to the organization’s governance and any location specific laws and implements changes to compliance processes due to these new or amended regulations;
7. Assists with training initiatives that inform stakeholders about compliance requirements.

Other skills that would be an asset for future career opportunities:

1. Ability to think analytically, define problems and frame solutions.
2. Soft skills, including facilitation, diplomacy, and conflict resolution.
3. Analytical, communication and negotiation skills, and attention to detail.
4. Effective in a cross functional team environment & can work independently with minimal supervision.
5. A degree of creativity, critical thinking and latitude.

Qualifications/Educational Requirements

• University degree in Computer Science, Information Security, Cybersecurity, or a related field as well as experience with Cybersecurity risk management, technology risk, or the equivalent combination of education and experience.
• 2+ years of relevant experience in Cybersecurity and Governance, Risk and Compliance
• Experience with security frameworks such as NIST 800-53, NIST CSF, NIST 800-171, CMMC, ISO 27001 and  the creation of applicable policies, standards and procedures
• Experience with Privacy Laws and Regulations such as PIPEDA, GDPR, CCPA, AIDA and ISO 27701
• Knowledge of applicable information security management, governance, and compliance principles, practices, laws, rules and regulations
• Understanding of Information Technology systems and processes, network infrastructure, data architecture, data processes, and protocols
• Excellent written & verbal communications skills (communicating at all levels with internal & external stakeholders) with fastidious attention to detail
• Strong analytical, problem-solving and troubleshooting skills
• Ability to work in a fast-paced environment managing multiple priorities with proven time management skills.
• Working knowledge of the Drata Continuous Automated Governance, Risk and Compliance platform or equivalent will be an asset
• Any of the following certifications will be an asset:
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Systems Auditor (CISA)
• GIAC Systems and Network Auditor (GSNA)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)