Independently conducts routine risk management activities ensuring that Paychex business managers understand the gross and net impact of IT related risk. Identifies existing and recommended compensating controls to mitigate identified risk. The position also requires research and information analysis in support of various activities of the Risk and Compliance department such as preparing responses to prospect, client or partner security questionnaires and conducting vendor security risk assessments and identifying best practice security controls.
Independently conducts and presents routine risk assessments to business managers that include risk identification, impact assessment, compensating controls identification, risk mitigation opportunity identification and business recommendations.
Approves formal statements in response to prospect, client or partner security inquiries such RFPs, RFIs, partner questionnaires or ad hoc questions. Escalates sensitive response statements for further review when deemed necessary and appropriate.
Conducts and manages security risk assessments of current and prospective information hardware, software or service providers to ensure that adequate controls are in place to protect company interests.
Works with legal, business and IT management to incorporate and negotiate company security terms and conditions in Contracts.
Develops security policy and security standards for consideration by the Security Review Board. Identifies obsolete standards for possible retirement. Manages the policy exception requests process. Provides follow up to ensure review of expiring exception authorizations.
Develops security training materials that support the training of IT personnel and security program participants in the application of company security policies, standards and procedures.
Manages the monthly reporting for the Security Review Board and coordinates with senior risk analysts for quarterly reporting to the Security Governance Council.
Consults with all company internal personnel to provide guidance and understanding of information security principles, standards and industry best practices.