IT GRC Analyst

Job Description

Fragomen is seeking a Compliance Analyst to join our talented Compliance Response Team.

A Fragomen career gives you the opportunity to work with a smart, motivated and diverse peer group. Our exclusive focus on immigration means you will practice in an exciting, ever-changing and challenging environment with people who are passionate about immigration. Working in a collegial, team-oriented environment, Fragomen employees learn from the industry's leading experts. Our firm commitment to quality and best practices is supported by technological innovation that benefits our clients and staff.

Fragomen strongly affirms that the demonstration of data privacy and security is critical to meet our obligations to our clients and distinguishes our business offerings in this competitive market. 

The Compliance Analyst will report directly to the Governance, Risk, and Compliance Operations Manager.  

We seek a professional, diligent individual that can keep up with the high demand of client and partner requests that support, identify and demonstrate Fragomen’s security controls. 

A candidate should

• have thorough knowledge of IT Security controls to include basic understanding of Cybersecurity frameworks such as NIST 800-53, ISO 27001, SOC 2 type 2 and CIS controls. The candidate should have experience collecting evidence from internal stakeholders and presenting them to external auditors.
• have a strong understanding of cybersecurity risk management, including how to document risks and develop risk treatment plans
• understand and be able to articulate the relationship between cybersecurity and internal general controls (ITGC), compliance obligations and risk reduction
• have experience configuring and using common GRC platforms, such as Vanta, Drata, and Apptega
• have experience drafting IT policies that align with industry best practices
• understand vendor and third-party risk management processes
• Have experience with supporting cybersecurity awareness programs 
• be knowledgeable of the global regulatory landscape and capable of communicating the Firm’s efforts in this area. 
• be collaborative and team oriented as a member of Fragomen’s Governance, Risk & Compliance (GRC) team which helps make data privacy and security a distinguishing factor in our technological offerings.

A successful candidate will demonstrate these competencies and possess excellent communication skills to communicate our data security, data privacy and compliance efforts to our global partners, senior leadership, and Clients.

Responsibilities will center around demonstrating to Clients Fragomen’s secure operational environment and foundational security policies and principles through the completion of client questionnaires, external certifications, Client audits, RFPs, and technical assessments.

What a Compliance Analyst Does at Fragomen:

Operationalizing Risk Management:

• Understand industry standard cybersecurity risks and how controls affect them. 
• Understand how GRC platforms work and how they support Risk Management
• Develop trusted relationships with senior business partners to gain an in-depth understanding of key business processes, products and services, and influences others to ensure business case and customer satisfaction goals are met.

• Acquire fundamental knowledge of all Fragomen areas to better understand emerging risks.
  • Support the Service Delivery function to deliver reliable, best-in-class support services in a manner that meets our contractual obligations and delights our customers and clients.
  • Assist with vendor and third-party risk management

IT Compliance

• Support ISO 27001, SOC 2 type 2 and PCI audits by gathering and documenting how Fragomen is meeting the control objectives identified in these standards
• Support completing client facing requests demonstrating Fragomen’s security controls to include demonstrating and understanding technical security controls.
• Work closely with IT internal audit to meet IT security compliance obligations

Assistance in GRC Operations:

• Collaboratively work with teammates and internal Fragomen teams and take direction from management to resolve assigned Client support work items with both speed and quality.
  • Acquire fundamental knowledge of all Compliance Operations areas to gain comprehensive knowledge of operations and industry standard best practices.
• Support security awareness programs
• Collaborate with GRC oriented teams - the Office of Audit and Privacy, the Office of General Counsel, Information Security and Compliance - and legal/client relationship teams to continuously improve and demonstrate the firm’s commitment to data privacy and security.
• Produce written and verbal communication, that when escalating matters, is summarized, and always clear and concise.
• Provide ideas and suggestions for department process improvements.

Let’s Talk If You Have:

• A strong understanding information security and data privacy frameworks and their control objectives including NIST Cyber Security Framework (CSF), NIST 800-53, and CIS
• Experience supporting ISO27X series, SOC2 and PCI compliance requirements and external audits, including control and evidence documentation

• Broad knowledge of Data Privacy regulatory landscape including but not limited to GDPR.

• Experience in risk management and project management, including but not limited to documenting and developing remediation plans.
• Experience supporting security awareness training
• Drafting IT Policies that align with industry best practice and cybersecurity frameworks
  • Strong communication skills both written and verbal
  • Outstanding work ethic
• Minimum of 5 years of experience in the IT Security GRC field based on work history and/or education.
  • Big 4 or large consulting firm experience a major plus

All offers and/or employment contracts are contingent upon the successful completion of the Firm’s pre-employment screening process. This process may include verifying the candidate’s identity, confirming legal authorization to work in the offered position's location, and conducting a comprehensive background check, where permitted by local regulations.