Sirius XM Radio Inc. Senior Information Risk and Compliance Analyst in Washington, District Of Columbia
Senior Information Risk and Compliance Analyst
District Of Columbia
Type of Position
Location: Washington, D.C.
The Senior Information Risk and Compliance Analyst is responsible for supporting the Information Security and Compliance Department on all information security and compliance-related policies, standards, and practices across Sirius XM.
Duties and Responsibilities:
Supports the organization's Information Risk and Compliance programs including SOX, PCI, ISO, and other programs by conducting control testing, risk mitigation and evidence validation, and remediation tracking in accordance with COBIT, ISO, and regulatory standards and policies; report issues and operational loss events.
Reviews and monitors the development, implementation, and maintenance, of projects and plans related to information security and information security administration that support Information Risk and Compliance activities. Consults on the design and implementation of security features and protocols through the configuration and change management process, and identifies information security gaps or requirements and impacts resulting from system changes and/or modifications and assist with remediation activities.
Performs information security risk analyses for the corporate network infrastructure including telematics, and other advanced technology environments by performing threat and vulnerability assessments, and analyzing threats and vulnerabilities to determine organizational impact and risk mitigation strategies to assist the organization in protecting information systems and other resources from known and potential threats.
Partners with Information Security leads throughout the enterprise to identify information security risks, classify and prioritize those risks, implements controls to reduce or eliminate risks and ensure adherence to corporate information security policies and standards, and assist in the conduct of software security assessments, and security and vulnerability assessments.
Acts as the subject matter expert on legal and regulatory requirements as it pertains to SOX, PCI, information security, information risk, privacy and other applicable laws and standards and works to align internal and external processes and procedures to these requirements. Monitors activities of assigned area(s) within the enterprise to ensure compliance with applicable internal controls policies and procedures and external laws and regulations.
Designs and manages the Vendor Information Risk Management Program, including maintaining an inventory of third parties who have access to the information technology environments, conducts security and compliance due diligence reviews, and maintains compliance documentation.
Bachelor's degree or equivalent, relevant experience.
Minimum of 5 years of experience in risk and compliance.
Requirements and General Skills:
Ability to work with the development, integration, and infrastructure teams in implementing security controls.
Ability to articulate vulnerability and security risk-based on technical security posture.
Ability to support the development of information security system level plan of action and milestones.
Experience working on complex systems in the security engineering or other system-related role including systems architecture, requirements analysis, integration, and process execution and evaluation.
Good public speaking and presentation skills.
Interpersonal skills and ability to interact and work with staff at all levels.
Excellent written and verbal communication skills.
Ability to work independently and in a team environment.
Ability to pay attention to details and be organized.
Ability to project professionalism over the phone and in person.
Commitment to "internal client" and customer service principles.
Willingness to take initiative and to follow through on projects.
Spelling, grammar, proofreading and editing skills.
Creative writing ability.
Ability to travel when required.
Excellent time management skills, with the ability to prioritize and multi-task, and work under shifting deadlines in a fast-paced environment.
Must have legal right to work in the U.S.
Knowledge of industry standards and best practices for IT audit -- COBIT, COSO Framework, SSAE 16.
Knowledge of industry standards and best practices for IT security -- ISO 27001/27002.
Thorough knowledge of MS-Office Suite (Word, Excel, PowerPoint, Access).
Fundamental understanding of risk-based information security management, as well as knowledge of applicable regulations, standards, and guidelines pertaining to information assurance (FIPS, NIST, ISO Standards).
Experience in PCI, ISO, and SOX.
Experience in vendor risk management.
Experience in information security and risk policy and standards development.
CISA, CISSP, or CRISC required.
As an EEO/Affirmative Action Employer all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, veteran status.
The requirements and duties described above may be modified or waived by the Company in its sole discretion without notice.
Company EEO Statement
Our goal at SiriusXM is to provide and maintain a work environment that fosters mutual respect, professionalism and cooperation. SiriusXM is an equal opportunity employer that does not discriminate on the basis of actual or perceived race, creed, color, religion, national origin, ancestry, alienage or citizenship status, age, disability or handicap, sex, gender identity, marital status, familial status, veteran status, sexual orientation or any other characteristic protected by applicable federal, state or local laws.