The GRC Risk Analyst is responsible for conducting security risk assessments to help identify and articulate risk and risk treatment options in support of NBCUniversal Business Groups.
• Conduct risk assessments to identify, assess, measure and monitor information security risks to NBCU processes, assets, vendors, products and services.
• Generate risk assessment reports to support management action, escalation, and risk acceptance processes resulting from risk assessments.
• Liaise with business area information security officers and security contacts, application owners, control owners, and SMEs such as Information Security, Internal Audit and specialized risk management teams
• Facilitate development, prioritization and rationalization of risk mitigation including audit action plans
• Support monitoring of remediation efforts to completion
• Gather, analyze, and report status and metrics on risks, controls and issues including coverage metrics, KRIs and KPIs
• Help mature NBCU risk and control framework
• Minimum 3 years’ experience in Information Security, with practical experience in risk assessment
• Bachelor's degree, preferably in Computer Science, Information Systems, Engineering or related field(s)
• Strong knowledge base in operations, enterprise networking, systems evaluation, and architecture
• Demonstrated experience in the areas of risks and controls across various IT platforms, web, middleware, cloud services (IaaS, PaaS, SaaS), database, operating systems, infrastructure and social media
• CISSP, CISA, CISM, CRISC, or similar industry certification(s) desirable
• Practical understanding of security, risk and privacy regulatory frameworks such as ISO 27001/2, ISO 31000, NIST 800-53, SOX, PCI DSS, HIPAA
• Self-starter, able to work independently and as part of a team
• Strong analytical, research, and problem solving skills with a keen attention to detail
• Strong written, verbal communication and organizational skills
• Able to communicate complex technology risk assessment information to non-technical business leaders to ensure they comprehend the risk being assigned to them
• Able to discern business relevant risk associated with technology control deficiencies, and to identify the corresponding remediation which is required to mitigate the risk
• Knowledge of the risks relevant to Media and Entertainment industry desirable