Ryder System Information Risk and Compliance Analyst in MIAMI, Florida

Position Description

The Information Risk and Compliance Analyst will be responsible for assuring information security and managing risks related to the use, processing, transmission and storage of information and the systems and processes used for those purposes. The Analyst's role lies within the Chief Information Security Officer's organizational structure, reporting to the Manager of Information Security Governance, Risk and Compliance. The Analyst will be a key member contributing to the development and maintenance of information security policies, focusing on assessing and prioritizing risk across the organization, compliance with information security policies, and the development and reporting of information security metrics. The Analyst will perform risk assessments and control gap analysis against Information Security Policies and Risk Management Standards. The Information Risk and Compliance Analyst will create, organize and articulate summarized risk findings that are clear and actionable by business stakeholders, reduce risk by helping to prioritize and drive remediation efforts throughout the organization, and contribute to risk management, treatment, and reporting process efforts to protect data assets. The Analyst's role will help prepare for and facilitate assessments and examinations by qualified security assessors. The Analyst will perform third party supplier security assessments, as well as facilitate and coordinate responses for customer due diligence questionnaires.

Requirements

  • Bachelor's degree in Information Security, Information Technology, or Management Information Systems

  • Master's degree in Information Security, Information Technology, or Management Information Systems preferred

  • Three years or more experience with risk assessments and compliance of major regulatory initiatives (e.g. SOX, PCI-DSS, HIPAA, FedRAMP)

  • Three years or more experience with cyber security and information security program management and frameworks (e.g. NIST CSF, ISO/IEC 27000, etc.)

  • Strong verbal, listening and written communication skills

  • Ability to:

  • Analyze and solve problems

  • Create and maintain professional relationships within all levels of the organization (peers, work groups, customers, supervisors)

  • Collect, compile, gather reports with associated email thread responses ensuring respective reports and responses are maintained separate for each entitlement report reviewer

  • Drive multiple projects to successful completion. Excellent prioritization capabilities, with an aptitude for breaking down work into manageable parts, effectively assessing the priority and time required to complete each part

  • Effectively facilitate meetings, work sessions, and training

  • Effectively manage a variety of tasks and projects simultaneously.

  • Group, categorize, and systematize data, people, or things

  • Identify and assesses the severity and potential impact of risks and communicate risk assessment findings to risk owners outside Information Security in a way that consistently drives objective, fact-based decisions about risk that optimize the trade-off between risk mitigation and business performance

  • Influence internal and/or external constituents and effectively influence others to modify their opinions, plans, or behaviors, with an emphasis on collaborating across multiple teams and ensuring program needs are satisfied through interpersonal and trusted communication

  • Listen, write, and speak effectively. Inform, explain, give instructions and communicate complex and technical issues to diverse audiences, orally and in writing, in an easily-understood, authoritative, and actionable manner

  • Maintain confidential information

  • Present information and ideas clearly and understandably to others

  • Simultaneously handle multiple priorities

  • Work in a regulated environment. An understanding of organizational mission, values, and goals and consistent application of this knowledge

  • Work independently and as a member of a team

  • Work on several tasks simultaneously and pay attention to sources of information from inside and outside one’s network within an organization

  • Work with others in a professional manner while achieving a common goal

  • Work within tight timeframes and meet strict deadlines

  • Demonstrates a high level of accuracy, even under pressure

  • Possesses a high degree of initiative. An understanding of business needs and commitment to delivering high-quality, prompt, and efficient service to the business

  • Seeks to acquire knowledge in area of specialty

  • Excellent organizational skills

  • Maintains a high degree of professionalism

  • Proactively approaches responsibilities. An understanding of organizational mission, values, and goals and consistent application of this knowledge

  • Maintains composure under pressure

  • Flexibility to operate and self-driven to excel in a fast-paced environment

  • Capable of multi-tasking, highly organized, with excellent time management skills

  • Demonstrates excellent judgment and decision making skills. Strong decision-making capabilities, with a proven ability to weigh the relative costs and benefits of potential actions and identify the most appropriate one

  • Exposure to and familiarity with relevant standards such as ISO/IEC 27000 family - Information Security Management Systems, NIST Cybersecurity Framework, NIST 800, and applicable laws related to regulatory compliance, information security and privacy (e.g. SOX, HIPAA, GDPR, PCI-DSS); intermediate level

  • Knowledge of information security risk management and IT controls frameworks and methodologies (e.g. ISO/IEC 27005, COBIT, OCTAVE); intermediate level

  • Knowledge of Risk Management Principles (risk avoidance, transfer, mitigation, acceptance), Risk Assessment process; intermediate level

  • Knowledge of Cloud Security - Cloud Control Matrix (CCM), Consensus Assessment Questionnaire (CAIQ) (intermediate level)

  • Knowledge of Common Controls Hub - Unified Compliance Framework (UCF) (intermediate level) preferred

  • Knowledge of Standardized Information Gathering (SIG) Questionnaire (intermediate level) preferred

  • Knowledge of AICPA SOC for Service Organizations (intermediate level) preferred

  • Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), or Certified in Risk and Information Systems Control (CRISC) or Certified Cloud Security Professional (CCSP) credentials or International Association of Privacy Professionals (IAPP) (within 90 days)

Responsibilities

  • Perform information security risk assessments and risk management activities across the organization. Establish and maintain risk criteria, identify, analyze, and evaluate information security risks. Ensure that repeated information security risk assessments produce consistent valid and comparable results. Maintain repository of documented information about the information security risk assessment process. Conduct risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities and risks

  • Perform selection of appropriate information security risk treatment options as a result of risk assessment results, determine all controls that are necessary to implement the information security risk treatment options, compare controls and verify that no necessary controls have been omitted, obtain risk owner's approval of the risk treatment plan and acceptance of residual information security risks

  • Perform information security, governance, risk and compliance assessment reports on third party suppliers to ensure supply chain risk is managed throughout the supplier's lifecycle. Produce final reports of pros and cons, observations of anomalies, and deliverables for the business as well as mandates for supplier compliance. Articulate results of the final assessments to business stakeholders, project sponsors, program managers, and other internal parties. Assist with review of information security sections within supplier contracts to ensure security and data privacy requirements are in place

  • Assist with the evaluation of the effectiveness of information security management and performance by developing, monitoring, gathering and analyzing information security and compliance metrics for management. Develop and implement a risk reporting framework for management teams and governance committees

  • Design and document IT general controls to ensure the business demonstrates compliance with its regulatory or compliance obligations. Facilitate and coordinate activities and responses related to internal and external controls testing including entitlement reviews. Facilitate the remediation of control gaps and escalate critical issues to management. Work closely with control owners, internal and external auditors to ensure requests are completed for timely delivery to audit. Assist with third party audits and certifications for the organization (i.e. SOC, ISO, PCI, etc.)

  • Assist with responding to customer information security requirements and due diligence questionnaires. Coordinate and facilitate response gathering in conjunction with other organizational application, support, infrastructure, legal, HR, and physical security teams as necessary. Ensure responses are accurate, valid, consistent and reported within expected deadlines. Maintain repository of customer information security requirements, track and report on compliance

  • Analyze and evaluate information security incidents in order to reduce the likelihood or impact of future incidents. Facilitate reports of security violations by documenting and coordinating remediation and awareness of violations to respective managers. Maintain repository of information security incidents and develop metrics for reporting to management

  • Research, recommend, and contribute to information security polices, standards, and procedures and work with other organizational participants from legal, human resources, information technology, compliance, physical security, the business units and others that have to implement the policies. Assist the lifecycle management of information security's policy and supporting documents

  • Provide assistance with other information security, risk and compliance projects and initiatives as assigned

  • Stay current with industry trends relevant to cyber security, privacy, and risk

  • Performs other duties as assigned

Ryder is proud to be an Equal Opportunity Employer and Drug Free workplace. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, sex, sexual orientation, gender identity, age, status as a protected veteran, among other things, or status as a qualified individual with disability.

Requisition ID 2018-63478

Category Information Technology

Employment Type Regular - Full Time (4)

Travel Requirements 0-10%

Position Code 7889