Senior GRC Controls Testing / IT Audittor

Overview

IT GRC Controls Analyst 

The Controls Analyst is responsible for evaluating and testing the effectiveness of the organization’s IT and cybersecurity controls. This role involves conducting control assessments, identifying potential weaknesses, and ensuring that security measures comply with regulatory standards and internal policies. The Controls Tester will collaborate with various teams, including IT, Information Security, Internal Audit, and Compliance, to ensure that controls are designed and operating effectively. The ideal candidate will have a strong background in IT risk management, cybersecurity frameworks, and experience performing detailed control testing. 

•  

 

 

 

 

 

Responsibilities

Major Responsibilities: 

Control Testing and Assessment:

• Conduct regular testing and validation of IT and information security controls to ensure effectiveness. 

• Review control design and operation, identifying potential gaps or weaknesses in the organization's security framework. 

• Test technical security controls, including access management, network security, encryption, vulnerability management, and incident response measures. 

• Assess the implementation of cybersecurity controls against established frameworks such as NIST, ISO 27001, CIS Controls, and other relevant regulatory requirements. 

• Perform detailed documentation of test procedures, results, and findings. 

Compliance and Risk Management:

• Ensure that IT and cybersecurity controls comply with relevant legal, regulatory, and industry standards (e.g., SOX, GDPR, PCI-DSS, etc.). 

• Collaborate with IT, Information Security, and Risk Management teams to ensure proper implementation and monitoring of controls. 

• Review and analyze IT risk assessments to ensure risks are adequately addressed by existing controls or recommend additional controls if necessary. 

• Support internal and external audits by providing test results, documentation, and evidence of control effectiveness. 

Reporting and Recommendations:

• Prepare detailed reports summarizing test findings, control deficiencies, and potential risks. 

• Provide recommendations for improving the design and implementation of IT and security controls to mitigate risks and enhance the security posture. 

• Track and monitor remediation efforts related to identified control deficiencies or weaknesses. 

• Present testing results and risk findings to senior management and other key stakeholders. 

Continuous Improvement and Collaboration:

• Assist in the development and refinement of control testing methodologies, procedures, and tools. 

• Collaborate with IT and Information Security teams to help improve the overall security and risk management framework. 

• Participate in the ongoing evaluation of emerging cybersecurity risks and evolving regulatory requirements to adjust control testing practices as needed. 

• Provide input on the development and maintenance of security policies, standards, and procedures. 

Qualifications

Required Qualifications: 

• Bachelor's degree in Information Technology, Information Security, Computer Science, or a related field. 

• 3+ years of experience in IT risk management, information security, or internal audit with a focus on control testing. 

• Familiarity with cybersecurity frameworks and standards (e.g., NIST, ISO 27001, COBIT, CIS Controls, etc.). 

• Experience testing a wide range of IT controls, including network security, access management, data protection, and system monitoring. 

• Strong understanding of risk management principles and regulatory compliance requirements. 

• Excellent analytical, problem-solving, and communication skills. 

• Proficiency in documenting control assessments and creating reports. 

 

Preferred Qualifications: 

• Certifications such as Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), or Certified in Risk and Information Systems Control (CRISC). 

• Experience with governance, risk, and compliance (GRC) tools or platforms. 

• Familiarity with cloud security controls and technologies. 

• Knowledge of automated control testing tools and techniques.