Analyst III, GRC

THE ROLE: 

The GRC Analyst III investigates and analyzes potential areas of risk, compliance and exposure to Technology (and Herbalife Nutrition), highlighting and quantifying the risks to help drive business decisions. This role must proactively escalate potential risks, issues and exposure to leadership and be outspoken in seeking mitigation actions. As this role progresses, the GRC Analyst will gain responsibility in designing and defining the risk analysis and serve as an advisor in GTS/DO/Cybersecurity. 

HOW YOU WOULD CONTRIBUTE: 

• 6+ years experience on IT governance, risk management, vulnerability management and compliance tools and processes 
• Conduct risk/control/vulnerability analyses using statistical models to determine potential risk and exposure and produce reports to leadership for risk-related decisions.
• Drive tracking, maintenance and reporting for operational risk register, risk and control matrix, and vulnerability register
• Prioritize and report on risk/compliance/vulnerabilities discovered along with the remediation timeline(s)
• Provide risk/compliance/vulnerability/security testing, produce reports and dashboards for management, and drive preventative and mitigation actions.
• Maintain current knowledge of evolving threat landscape.
• Collaborate with multiple global teams and SMEs of risk/compliance/vulnerabilities within the environment.
• Develop relevant training material for Governance Risk and Compliance
• Coordinate with cross-functional members across technology functions
• Ensures SOX compliance; tracks deficiencies and drives mitigation actions
• Acts as internal and external liaison with auditors
• Design, execute and manage security awareness training and simulated phishing campaigns to assess the organization's susceptibility to attacks
• Conduct regular reviews of sensitive access permissions and collaborate with technology teams to ensure compliance with internal policies and regulatory requirements
• Perform comprehensive reviews of existing policies to ensure they are up-to-date and aligned with industry best practices and regulatory requirements
• Identify and document policy exceptions, and work with relevant stakeholders to assess and mitigate associated risks
• Develop and implement new policies and procedures to address emerging risks and compliance requirements
• Identify areas for process improvement within the GRC program and develop strategies to enhance efficiency and effectiveness
• Collaborate with cross-functional teams to implement process improvements and ensure alignment with organizational goals
• Provide guidance and support to junior team members, helping them develop their skills and knowledge in GRC
• Performs additional duties as assigned

WHAT’S SPECIAL ABOUT THE TEAM: 

Governance Risk and Compliance is global team collaborating with IT, Cybersecurity, Privacy, Enterprise Risk among other risk teams in the company, to manage technology risks and provide proactive risk solutions.  Our vision is to provide risk information to support fact-based decision making, aligned with our enterprise strategy.

SKILLS AND BACKGROUND REQUIRED TO BE SUCCESSFUL: 

• Proficient in related GRC analysis and risk assessment and vulnerability tools
• Knowledge of application, network and operating system security
• GRC (governance, risk, and compliance) experience is a must
• Knowledge of vulnerability scoring systems (CVSS/CMSS)
• Communication skills to relay results of analysis
• Ability to build strong relationships across various functions of Technology to be able to preemptively identify and communicate risks
• Detail oriented, organized, methodical, follow up skills with an analytical thought process.

Certificates / Training:

• IT, risk and security practices, standards and controls (e.g. COBIT, NIST-CSF, CIS-CSC, C2M2, CSOE, ITIL).
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM).
• Certified Cloud Security Professional (CCSP).
• Certified in Risk and Information System Controls (CRISC).
• Certified Information Systems Security Professional (CISSP)

Education        

Required

• Bachelor's in Information Technology or equivalent

Preferred

• Advanced Technical Degree

THE ROLE: 

The GRC Analyst III investigates and analyzes potential areas of risk, compliance and exposure to Technology (and Herbalife Nutrition), highlighting and quantifying the risks to help drive business decisions. This role must proactively escalate potential risks, issues and exposure to leadership and be outspoken in seeking mitigation actions. As this role progresses, the GRC Analyst will gain responsibility in designing and defining the risk analysis and serve as an advisor in GTS/DO/Cybersecurity. 

HOW YOU WOULD CONTRIBUTE: 

• 6+ years experience on IT governance, risk management, vulnerability management and compliance tools and processes 
• Conduct risk/control/vulnerability analyses using statistical models to determine potential risk and exposure and produce reports to leadership for risk-related decisions.
• Drive tracking, maintenance and reporting for operational risk register, risk and control matrix, and vulnerability register
• Prioritize and report on risk/compliance/vulnerabilities discovered along with the remediation timeline(s)
• Provide risk/compliance/vulnerability/security testing, produce reports and dashboards for management, and drive preventative and mitigation actions.
• Maintain current knowledge of evolving threat landscape.
• Collaborate with multiple global teams and SMEs of risk/compliance/vulnerabilities within the environment.
• Develop relevant training material for Governance Risk and Compliance
• Coordinate with cross-functional members across technology functions
• Ensures SOX compliance; tracks deficiencies and drives mitigation actions
• Acts as internal and external liaison with auditors
• Design, execute and manage security awareness training and simulated phishing campaigns to assess the organization's susceptibility to attacks
• Conduct regular reviews of sensitive access permissions and collaborate with technology teams to ensure compliance with internal policies and regulatory requirements
• Perform comprehensive reviews of existing policies to ensure they are up-to-date and aligned with industry best practices and regulatory requirements
• Identify and document policy exceptions, and work with relevant stakeholders to assess and mitigate associated risks
• Develop and implement new policies and procedures to address emerging risks and compliance requirements
• Identify areas for process improvement within the GRC program and develop strategies to enhance efficiency and effectiveness
• Collaborate with cross-functional teams to implement process improvements and ensure alignment with organizational goals
• Provide guidance and support to junior team members, helping them develop their skills and knowledge in GRC
• Performs additional duties as assigned

WHAT’S SPECIAL ABOUT THE TEAM: 

Governance Risk and Compliance is global team collaborating with IT, Cybersecurity, Privacy, Enterprise Risk among other risk teams in the company, to manage technology risks and provide proactive risk solutions.  Our vision is to provide risk information to support fact-based decision making, aligned with our enterprise strategy.

SKILLS AND BACKGROUND REQUIRED TO BE SUCCESSFUL: 

• Proficient in related GRC analysis and risk assessment and vulnerability tools
• Knowledge of application, network and operating system security
• GRC (governance, risk, and compliance) experience is a must
• Knowledge of vulnerability scoring systems (CVSS/CMSS)
• Communication skills to relay results of analysis
• Ability to build strong relationships across various functions of Technology to be able to preemptively identify and communicate risks
• Detail oriented, organized, methodical, follow up skills with an analytical thought process.

Certificates / Training:

• IT, risk and security practices, standards and controls (e.g. COBIT, NIST-CSF, CIS-CSC, C2M2, CSOE, ITIL).
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM).
• Certified Cloud Security Professional (CCSP).
• Certified in Risk and Information System Controls (CRISC).
• Certified Information Systems Security Professional (CISSP)

Education        

Required

• Bachelor's in Information Technology or equivalent

Preferred

• Advanced Technical Degree