Risk and Compliance Manager

Agency: Board of Elections 
Closing Date/Time: March 28, 2025 
Anticipated Starting Salary: $7,500-$10,000 per month
County: Sangamon
Number of Vacancies: 1

The SBE is a non-code agency.
 

All applicants who want to be considered for this position MUST apply electronically through the illinois.jobs2web.com website. State of Illinois employees should click the link near the top left to apply through the SuccessFactors employee career portal.

Applications submitted via email or any paper manner (mail, fax, hand delivery) will not be considered.

Functional Statement

Reporting to the Chief Information Security Officer (CISO) the Risk & Compliance Manager is responsible for: Assessing organizational risks, ensuring the agency's alignment to information security standards, collaborating with agency stakeholders to develop a risk management framework, performing gap analysis and recommending compensating technical and/or administrative controls, leading and managing information security compliance initiatives, maintaining policies, standards, procedures, and controls documentation, conducting comprehensive risk assessments, managing third-party risk, and overseeing the agency's security awareness initiatives.

Essential Function 1

Develops and implements risk management plans and processes that are aligned to business objectives and security requirements. Collaborates with agency stakeholders and control owners to develop and implement testing and evidence gathering methodologies. Analyzes and interprets audit results and provides recommendations to system owners and senior leadership to reduce risk. Serves as risk management subject matter expert in support of agency projects. Leverages GRC tools and the service desk to track progress and distribute compliance and risk remediation task assignments. 

Essential Function 2

Conducts third-party service organization risk assessments to ensure supply chain risk is managed throughout the business relationship lifecycle. Establishes and maintains relationships with third-party vendors. Continuously monitors third-party risk by periodically gathering and analyzing vendor documentation such as SOC2 Type II, ISO 27001, technical diagrams, penetration test results, continuity plans, etc. Reports on the benefits and risk for the agency as well as requirements for service provider compliance. Creates, maintains, and distributes third-party vendor security questionnaires. Serves as the agency's liaison to ensure successful external third-party risk and vulnerability assessments. Communicates assessment results to leadership, business stakeholders, and program managers. Documents Corrective Action Plans (CAP) as needed and assists with the creation of agency Plan of Action & Milestones (POA&M).

Essential Function 3

Assists with the research, creation, maintenance, implementation and communication of Information Security policies, standards, controls, and procedures documentation. Evaluates and documents technical, administrative, and physical controls to ensure the agency demonstrates compliance and meets the requirements of its regulatory obligations. Leads efforts to remediate control gaps and presents findings to leadership. Facilitates data collection and eDiscovery efforts to support investigations of policy violations. Collaborates with the Information Security Operations team and other agency stakeholders to analyze security incidents and provide recommendations to reduce risk. Establishes and maintains a detailed risk register for the organization. 

Essential Function 4

Develops and matures the agency's security awareness program. Utilizes a combination of third-party education resources and services, threat intelligence, and industry trends to create and distribute annual and supplemental security awareness trainings. Periodically provides agency staff with additional education opportunities such as presentations or workshops that are focused on information security, risk, and compliance.

Essential Function 5

Continues education by attending training, seminars, conferences, and obtaining industry certifications. Maintains a current understanding of the threat landscape by monitoring online information security related websites, blogs, articles, reports, as well as other security intelligence sources to keep up-to-date on the latest threats, IOCs and trends. Participates in cybersecurity focused organizations.   

Essential Function 6

Performs other duties as required or assigned which are reasonably within the scope of the duties enumerated above. Provides off-hours support as required.

Minimum Qualifications 1

Associates Degree in a related field and a minimum of 10 years of Information Technology experience including 5 years of professional experience in information security and risk management.  A combination of education, certifications and experience may be substituted for degree.

Minimum Qualifications 2

Advanced knowledge in information security technologies, design, and architecture. In-depth understanding of risk management and security frameworks such as NIST, CIS, OWASP, COSO, ISO, FAIR, etc. 

Minimum Qualifications 3

Prior success in performing risk assessments. Experience developing and implementing enterprise risk and compliance strategy and solutions. 

Minimum Qualifications 4

Possesses the ability to write and communicate effectively with both technical and non-technical audiences. 

Minimum Qualifications 5

Comfortability presenting to executive leadership is a must. 

Preferred Qualifications 1

One or more of the following certifications are highly desired:

CISA: Certified Information Systems Auditor
CRISC: Certified in Risk and Information Systems Control
CGRC: Certified in Governance, Risk and Compliance
CISSP: Certified Information Systems Security Professional
SSCP: Systems Security Certified Practitioner
CCSP: Certified Cloud Security Professional
IAPP: CIPP, CIPM, CIPT
COBIT: Control Objectives for Information and Related Technology
ITIL: Information Technology Infrastructure Library

This position title is eligible for our hybrid telework arrangement (up to 2 remote days per week) and tuition reimbursement programs (100% of tuition costs covered). Upon accepting this position, you will be eligible to enroll into the State of Illinois Group Insurance Program, which includes various highly competitive and low cost coverage options for health, dental, vision, and life insurance. In addition this position offers a competitive time off package, including: 12 paid sick days per calendar year (accrual basis); a minimum of 10 paid vacation days per calendar year (accrual basis); 3 personal days per calendar year; and 12 paid state holidays per calendar year.

The SBE welcomes all and promotes workplace diversity. It is our individual traits, character, and experiences that make each of us special and unique. It is only when we bring that individualism together and work as a diverse team that we thrive. There is no place for discrimination based on race, religion, culture, sexual identity or orientation, age, or disability at the State Board of Elections.