Back to jobs
IT Security Governance, Risk, & Compliance Analyst
Wichita, KSPosted 5 days ago
Job Description
Not Eligible for Remote Employment - Requires Candidate to be in-person & onsite in Wichita, KS
Role: Execute and maintain CUA's Information Security Governance, Risk, and Compliance (GRC) program elements. Focus on execution, monitoring, and independent validation of governance controls, evidence collection, audit and regulatory examination support, and risk tracking. Support ongoing regulatory compliance and risk transparency while preserving management accountability and decision authority in alignment with applicable regulatory guidance (FFIEC, NCUA, KDCU, GLBA).
Essential Functions & Responsibilities:
| E | 30% | Compliance Execution & Audit/Examination Support: - Coordinate, collect, and maintain evidence required for internal audits, external audits, and regulatory examinations (e.g., NCUA, FFIEC, GLBA). - Support regulatory and audit examinations by preparing documentation, responding to evidence requests, and tracking follow-up items. - Track audit and examination findings, remediation activities, and management responses to ensure timely and documented closure. - Perform periodic internal compliance reviews and control testing to validate adherence to approved security policies, standards, and procedures. |
| E | 25% | Risk Management & Assessment Support: - Support the Vendor Risk Management (VRM) program by reviewing third-party security documentation, SOC reports, and due-diligence artifacts in accordance with established risk assessment standards. - Maintain and update the Information Security Risk Register, ensuring risks are clearly documented, assessed, tracked, and mapped to appropriate mitigation or acceptance decisions. - Monitor risk remediation timelines and escalate overdue or unresolved items through established governance and reporting channels. |
| E | 15% | Policy & Procedure Management: - Assist in the drafting, updating, maintenance, and version control of Information Security policies, standards, and operational procedures. - Ensure governance documentation remains current, internally consistent, and aligned with regulatory updates, audit outcomes, and business practices. - Track required policy and procedure reviews and coordinate stakeholder input as directed by the Information Security Officer (ISO). |
| E | 15% | Security Governance Support: - Facilitate recurring governance activities including Role-Based Access Control (RBAC) reviews, access attestations, and control validation by coordinating with HR, IT, and business unit leaders. - Coordinate and track Information Security awareness training and phishing simulation activities, maintaining required evidence and completion metrics. - Prepare governance materials, dashboards, and summaries for committees (e.g., IT Steering Committee) focused on compliance posture, control coverage, and risk status. |
| E | 10% | Program Oversight & Metrics Support: - Support execution of approved Information Security and Insider Threat Program elements by monitoring policy adherence and control effectiveness. - Maintain key compliance, governance, and risk metrics (KPIs/KRIs) used for management and executive reporting. - Provide accurate, timely data and documentation to support management review and decision making; interpretive analysis and risk acceptance decisions remain with the ISO and executive leadership. |
| N | 5% | Perform other duties as assigned by supervisor. Employees shall be trained annually, demonstrate an understanding of, and follow the requirements of the BSA/AML Compliance Program as it specifically relates to their job. |
Performance Measurements:
| 1. | Demonstrate a “Welcome to Friendly” attitude and model Credit Union of America’s values (Friendly, Inclusive, Productive, Respectful, Compassion) and purpose “We come to work every day inspired to make a difference in our member’s lives.” |
| 2. | Ensure audit and regulatory examination evidence is accurate, complete, well organized, and available within the required timeframe, with minimal rework or follow up requested by auditors or examiners. |
| 3. | Ensure audit and examination findings, management responses, and remediation activities are consistently tracked, documented, and escalated in accordance with established governance procedures. |
| 4. | Verify Information Security Risk Register is complete, current, and accurately reflects approved risk assessments, mitigation activities, ownership, and status. |
| 5. | Review and manage overdue, unresolved, or emerging risks are promptly identified and escalated through documented reporting and governance channels. |
| 6. | Ensure vendor due diligence reviews and supporting documentation (e.g., SOC reports and assessments) are completed accurately and maintained in accordance with established risk standards and timelines. |
| 7. | Verify Information Security policies, standards, and procedures are maintained within required review cycles, reflect approved regulatory and audit driven updates, and follow established governance hierarchy. |
| 8. | Confirm governance documentation is clear, consistent, properly version controlled, and suitable for regulatory and audit scrutiny without requiring material correction. |
| 9. | Facilitate governance activities such as RBAC reviews, access attestations, training tracking, and control validation tasks are completed on schedule with complete and accurate supporting evidence. |
| 10. | Ensure compliance, governance, and risk metrics (KPIs/KRIs) are accurate, timely, and validated prior to reporting to management or committees. |
| 11. | Demonstrates effective coordination and professional communication with IT, HR, business units, auditors, and management in support of governance and compliance activities. |
| 12. | Maintain an appropriate working knowledge of applicable regulatory guidance (e.g., FFIEC, NCUA, GLBA), demonstrates strong attention to detail, and continuously improves GRC processes and artifact quality. |
| 13. | Complete required online regulatory training courses with a score of 80% or higher. |
Knowledge and Skills:
| Experience | Three years to five years of similar or related experience. |
| Education | (1) A bachelor's degree (e.g., Information Technology, Computer Science, Information Systems), or (2) an equivalent combination of education and demonstrated GRC Analyst experience. GRC or audit related certifications (e.g., Security+, CISA, CRISC, or similar) are preferred but not required. |
| Interpersonal Skills | Work involves much personal contact with others inside and/or outside the organization for the purpose of first-level conflict resolution, building relationships, and soliciting cooperation. Discussions involve a higher degree of confidentiality and discretion, requiring diplomacy and tact in communication. |
| Other Skills | - Ability to read, interpret, and apply regulatory guidance and examination materials (e.g., FFIEC IT Handbook, GLBA, NCUA guidance). - Working knowledge of information security frameworks and standards (e.g., NIST, CRI, ISO 27001). - Strong documentation, evidence management, and attention to detail skills suitable for audit and regulatory scrutiny. - Effective written, verbal, and presentation communication skills, with the ability to translate technical or compliance information into clear, user-friendly formats. - Strong organizational, prioritization, and time management skills to manage multiple concurrent GRC activities. - Ability to work independently while collaborating effectively across technical, operational, and business teams. - Foundational understanding of common IT infrastructure, security concepts, and control environments. |