Risk & Information Security Manager | Chicago, Houston, New York, Philadelphia, Pittsburgh, Los Angeles, or Washington, DC
Blank Rome LLP
The Risk & Information Security Manager is responsible for identifying, prioritizing, monitoring and reporting information security risks and ensuring proper controls are in place within the Firm. The position reports to the Chief Risk & Security Officer, in an ever-evolving area. The Risk & Information Security Manager works closely with attorneys and legal support professionals, as well as technology and operational personnel, to foster a collaborative and protective information risk management culture. The Risk & Information Security Manager performs necessary security evaluations and audits, manages the ISO certification process, and coordinates and confirms necessary security compliance.
- Development and day-to-day management of processes, tasks, analysis, and reporting that support compliance with the obligations of the Firm, whether those obligations are the result of regulation, legislation, client agreements, court orders, contracts, ethics, or any other source of obligations.
- Ensure the completion of compliance activity through a comprehensive program management approach that takes all Firm obligations into account.
- Collaborate with parties throughout the Firm where compliance activity relies on activity or input from others.
- Work with New Business Intake, attorneys, and available tools to ensure the discovery, intake, and cataloging of client-driven obligations.
- Manage the vendor security risk management program.
- Support the maintenance of compliance regimes, including ISO 27001, HIPAA, PCI DSS, GDPR, and any others which are relevant.
- Support the analysis of contracts and client agreements as well as the exploration of ethical obligations in order to identify expectations of the Firm.
- Analyze risk management practices, perform gap analysis and develop findings and assessment reports.
- Contribute to establishing metrics and tools to assess and report on inherent risks, control strength and residual risk in a consistent and objective manner.
- Participate in responding to client and other stakeholder assessments.
- Participate in preparing for and responding to externally-driven audit and assessment activity.
- Monitor and track exception requests and approvals.
- Understand and articulate risks associated with technology processes and Information Technology general controls and identify process and control gaps proactively.
- Liaise across relevant business, technology, and control functions to prioritize risks, challenge risk, assumptions and tolerances, and drive appropriate risk response.
- Monitor internal and external business, regulatory and technology environment to identify new or emerging risks and verify remediation of issues.
- Participate in incident response as needed.
- Act as an internal subject matter expert regarding information risk identification, remediation and/or mitigation.
- Participate in the maintenance of risk management policies, standards and procedures.
- Participate in the risk assessment of new Information Technology products and services.
- Assists with and maintains business continuity plans.
- Stay current on changes to technology, internal policy and standards, developments in legal ethics, and relevant regulatory requirements, and evaluate potential impacts on the risk and controls and suggests modifications to the programs.
- Other duties as assigned.
- Bachelor’s Degree (Business Administration, Risk Management, Information Security, Management Information Systems (MIS), Computer Science or related Information Technology field preferred) or high school degree and minimum of 5 years of work or military experience in a related discipline.
- Minimum 5 years of experience in one or more of the following areas: information risk; information security; Information Technology security, audit or risk; or other experience involving implementation and/or monitoring of information controls.
- Experience in performing risk assessments and creating remediation plans a plus.
- Experience working within one or more of the following frameworks/regulations: ISO 27001/2, COBIT, NIST SP 800-53, SOX, SSAE16, GLBA, or PCI.
- Experience using a wide range of computer security-related tools and systems, such email security, internet filtering and proxy, network monitoring, end point security, vulnerability scanning, and forensic tools.
- Familiarity with general computer operations, such as operating systems, networks, databases, virtualization, storage, cloud technologies, backup and recovery, and related operational processes.
- Must possess excellent oral and written communication skills.
- Strong facilitation and consensus-building skills.
- Demonstrated relationship-building skills, with the ability to make things happen through the use of positive influence.
Certificates & Licenses
- Certification such as CISSP, CISA, CIA, CISM, or CRISC preferred.
- Ability to work under pressure and exhibit attention to detail.
- Ability to learn quickly, regarding both systems and processes.
- Ability to coalesce a wide variety of data and analyze it to make appropriate decisions.
- Understanding of technology processes, risks and issues including infrastructure and information security.
- Ability to document and explain risks and vulnerabilities to both business and technical stakeholders.
- Self-starter; adaptable to change; motivated to set personal and program goals and proactively track performance against goals.
- Strong problem-solving and analytical skills; comfortable tackling complex problems and breaking these down into manageable pieces.
- Ability to exercise sound judgment to meet deadlines, prioritize tasks and escalate issues to leadership.
- Ability to work on complex requests in a fast-paced and high-pressure environment.
- Proficient in Word, PowerPoint, Excel, Adobe, and Outlook.
- High degree of personal initiative and sense of urgency.
- Able to type, sit for long periods of time and handle light lifting.
FindTheBestJob is a free service and does not charge a fee at any stage of application or recruitment process. Don’t provide your bank account or credit card details to anyone during job application. FindTheBestJob does not guarantee the availability of a job since organizations may end applications earlier than due date.