The InfoSec Lead Risk & Control Analyst supports Navy Federal Credit Union’s (NFCU) Information Security Division in effectively managing the 1st Line of Defense internal control environment through the execution of the Risk Control Self-Assessment (“RCSA”) program. In collaboration with business process owners the lead role proactively builds and maintains process maps and risk and control matrices to identify, assess, monitor, update and report out operational risks. This role includes effective partnership with risk partners and process owners within Information Security and throughout the enterprise as RCSAs are coordinated, facilitated, completed and reviewed. The Lead will also partner with Control Testing and Issue and Event Management functions within the 1st Line InfoSec Risk Management department.
• Partner with stakeholders, including process owners and control officers, to document processes (via process flows), risks and controls, enhance control language, and assist to develop/maintain test scripts that validate controls are being performed in compliance with policies, standards, procedures, and other requirements to mitigate information security risk • Support the execution of front line controls, self-assurance, and risk assessment activities (ad-hoc controls review, business process management (BPM), risk control self-assessment (RCSA), and independent risk and audit activities as directed • Provide ongoing assessment of InfoSec’s risk profile through regular monitoring and status reporting of risks, issues, events and initiatives within core processes • Support iterative review and challenge of assessment results, working with appropriate stakeholders across the lines of defense • Perform and facilitate the collection, review and assimilation of RCSA assessment data and reporting into concise and meaningful reports • Assess exposure to risk, measure operational risk against ERM frameworks, assist establishing policies and procedures to minimize risk, identify ways to protect the organization from data loss and reputational damage • Coordinate efforts with InfoSec’s Issues and Events Management and Control Testing functions, to continually update control effectiveness and residual risk rating of InfoSec’s business processes as needed • Support implementation for change management needs with appropriate personnel within the Division and/or across divisional lines • Monitor and oversee the progress of risk assessments; address and resolve complex issues • Assist with Operational Risk event remediation efforts when needed • Serve as a subject matter expert with internal and external auditors (e.g., NCUA, CFPB, and contracted third parties) to address and resolve audit questions and findings relative to core process risk management • Support the testing of control design and the testing of control effectiveness for assigned areas as needed • Identify areas of improvement in existing process, methodology, and policies. Identify gaps and recommend enhancements. Drive, adopt and enforce best practices in report templates and tools • Coordinate required meetings, reviews and scheduling needs • Perform other duties as assigned
Qualifications and Education Requirements:
• Degree in Business Administration, Economics, Mathematics, Computer Science, Engineering, Auditing, Law or related field or equivalent combination of training, education and experience • Advanced knowledge and understanding of risk-based auditing techniques and methodologies • Advanced knowledge of operational risk controls, concepts and practices and/or InfoSec specific frameworks • Proven experience working within cross-functional, multi-dimensional teams and projects of complexity which have business risk and impact • Proven ability to plan, organize and effectively execute risk mitigation and process improvement initiatives • Advanced organizational, planning and time management skills in order to multi task competing priorities in a fast paced and dynamic environment • Ability to comprehend, analyze, interpret, communicate and apply government and financial industry regulations related principles and practices, and company instructions, procedures and policies • Ability to work independently and in a team environment • Effective analytical and complex thinking skills to include summarizing information and clearly identifying key elements, patterns results or relationships • Significant experience in collaborating across organizational boundaries and building partnerships across various functions
Desired Qualifications and Education Requirements:
• Working knowledge of Navy Federal’s products, services, programs policies and procedures • ORM, CISA, CISSM, CSPO, CDSPE certifications • Lean Six Sigma Black Belt or equivalent process mapping experience • Advanced knowledge of state and Federal laws; industry regulations, principles, and practices; and company policies that govern the business unit’s products/services
As a COVID-19 safety measure, our employees must either provide proof of COVID-19 vaccination or follow additional safety protocols, including testing.
Due to COVID-19 and social distancing, this position will be temporarily working from home with plans to return to campus at the desired location listed once Navy Federal is back to normal operations. The specific logistics for returning to campus will be determined at a future date by individual leadership