The GRC Risk Analyst is responsible for conducting security risk assessments to help identify and articulate risk and risk treatment options in support of NBCUniversal Business Groups.
Conduct risk assessments to identify, assess, measure and monitor information security risks to NBCU processes, assets, vendors, products and services.
Generate risk assessment reports to support management action, escalation, and risk acceptance processes resulting from risk assessments.
Liaise with business area information security officers and security contacts, application owners, control owners, and SMEs such as Information Security, Internal Audit and specialized risk management teams
Facilitate development, prioritization and rationalization of risk mitigation including audit action plans
Support monitoring of remediation efforts to completion
Gather, analyze, and report status and metrics on risks, controls and issues including coverage metrics, KRIs and KPIs
Help mature NBCU risk and control framework
Minimum 3 years experience in Information Security, with practical experience in risk assessment
Bachelor's degree, preferably in Computer Science, Information Systems, Engineering or related field(s)
Strong knowledge base in operations, enterprise networking, systems evaluation, and architecture
Demonstrated experience in the areas of risks and controls across various IT platforms, web, middleware, cloud services (IaaS, PaaS, SaaS), database, operating systems, infrastructure and social media
CISSP, CISA, CISM, CRISC, or similar industry certification(s) desirable
Practical understanding of security, risk and privacy regulatory frameworks such as ISO 27001/2, ISO 31000, NIST 800-53, SOX, PCI DSS, HIPAA
Self-starter, able to work independently and as part of a team
Strong analytical, research, and problem solving skills with a keen attention to detail
Strong written, verbal communication and organizational skills
Able to communicate complex technology risk assessment information to non-technical business leaders to ensure they comprehend the risk being assigned to them
Able to discern business relevant risk associated with technology control deficiencies, and to identify the corresponding remediation which is required to mitigate the risk
Knowledge of the risks relevant to Media and Entertainment industry desirable