IT Governance Analyst Remote - Chicago, IL, United States - U of C NORC

Description

NORC at the University of Chicago seeks an IT Governance Analyst to join our growing Information Technology Department. The successful candidate will be responsible for the development, implementation, and maintenance of IT security policies, procedures, and frameworks, as well as technical documentation to support IT governance initiatives. This role involves writing and updating clear and comprehensive documentation, including policies, SOPs, framework documentation, training materials, and reports. The incumbent collaborates with cross-functional teams to ensure documentation is accurate, accessible, and aligned with regulatory requirements and industry standards. Additionally, the role involves providing technical writing support for IT security frameworks, metrics, compliance documentation, risk assessments, and incident response procedures. The IT Governance Analyst plays a crucial role in enhancing IT security awareness, ensuring compliance, mitigating risks, and driving continuous improvement in the organization's security posture.

NORC's Information Technology program provides technology services to our staff and clients. Given the critical role technology plays in our day-to-day lives, we are committed to providing professional, high-quality solutions in order to further our collective goal of advancing social science research.​

• Policy Development: Develop and maintain comprehensive IT security policies, standard operating procedures (SOPs), and guidelines in alignment with industry best practices, regulatory requirements, and organizational objectives. Ensure documentation is clear, concise, and easily understandable.
• SOP Creation: Write and update detailed standard operating procedures (SOPs) for IT security processes, ensuring clarity, effectiveness, and adherence to compliance standards. Translate technical information into user-friendly documentation.
• Procedure Documentation: Document IT security procedures, workflows, and protocols to streamline operations and facilitate consistent execution across the organization. Ensure documentation is accessible and well-organized.
• Framework Review: Evaluate existing IT security frameworks such as the NIST Cybersecurity Framework, ISO 27001, HIPAA and HITRUST, to assess their effectiveness, relevance, and suitability for the organization's needs. Provide technical writing support for framework documentation and customization.
• Framework Customization: Customize and tailor IT security frameworks to fit the specific requirements and risk profile of the organization, ensuring maximum effectiveness and efficiency. Document customization processes and rationale.
• Metric Development: Design, develop, and implement key performance indicators (KPIs) and metrics to measure the effectiveness of IT security controls, processes, and policies. Create documentation explaining metric definitions and calculation methodologies.
• Metric Tracking: Regularly monitor and track IT security metrics and performance indicators, analyzing trends, identifying areas for improvement, and providing actionable management insights. Produce reports summarizing metric trends and analysis.
• Report Generation: Prepare monthly, quarterly, and annual reports on IT security metrics, incidents, compliance status, and risk posture for presentation to senior management, stakeholders, and regulatory bodies. Ensure reports are well-written and visually appealing.
• Training and Awareness: Develop and deliver IT security awareness training programs and materials for employees to enhance their understanding of security policies, procedures, and best practices. Create training materials and user guides.
• Continuous Improvement: Continuously assess and improve IT governance processes, policies, and procedures based on emerging threats, industry trends, and organizational feedback. Document process improvements and best practices.

• Current security compliance certification such as Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) or System Security Certified Practitioner (SSCP)
• At least 5 years of experience in IT security, Policy, and SOP writing.
• Proficiency in writing clear, concise, and technically accurate documentation, including policies, procedures, standards, and guidelines.
• Understanding of fundamental cybersecurity principles, including threats, vulnerabilities, and risk mitigation strategies.
• Experience with creating and maintaining IT audit control processes to assess the suitability and applicability of technical, managerial, and operational security controls against security and regulatory frameworks
• Experience with GRC (Governance, Risk, and Compliance) systems or IRM (Information Risk Management) systems for tracking and monitoring multiple systems and assessments against multiple frameworks
• In-depth understanding of information security practices at all layers of the IT infrastructure, to include network, servers, databases, and applications
• General understanding of IT infrastructure, operating systems, database, and application operations Previous experience in the advanced use of information security assessment techniques (e.g., vulnerability scanning, penetration testing, verification of application security, etc.)
• Previous experience working with the HIPAA Security and Privacy Rules, as well as the HITRUST Common Security Framework (CSF)
• MUST HAVE Experience with HIPPA, NIST, ISO 27001, and HITRUST including but not limited to the review and development of security documentation and templates such as Policies, SOPs, and Procedures.
• Excellent verbal and written communication skills
• Familiarity with documentation tools and software, such as Microsoft Office Suite, Adobe Acrobat, markdown languages, etc., to create and maintain documentation effectively.
• Preferred but not required: Bachelor's degree in management information systems, Computer Science.

The pay range for this position is $94,000 – $140,000 .

This position is classified as regular. Regular staff are eligible for NORC's comprehensive benefits program. Benefits include, but are not limited to:

• Generously subsidized health insurance, effective on the first day of employment
• Dental and vision insurance
• A defined contribution retirement program, along with a separate voluntary 403(b) retirement program
• Group life insurance, long-term and short-term disability insurance
• Benefits that promote work/life balance, including generous paid time off, holidays; paid parental leave, tuition assistance, and an Employee Assistance Program (EAP).

NORC's Approach to Equity and Transparency

Pay and benefits transparency helps to reduce wage gaps. As part of our commitment to pay equity and salary transparency, NORC includes a salary range for each job opening along with information about eligible benefit offerings. At NORC, we take a comprehensive approach to setting salary ranges and reviewing raises and promotions, which is overseen by a formal Salary Review Committee (SRC).

NORC at the University of Chicago is an objective, non-partisan research institution that delivers reliable data and rigorous analysis to guide critical programmatic, business, and policy decisions. Since 1941, our teams have conducted groundbreaking studies, created and applied innovative methods and tools, and advanced principles of scientific integrity and collaboration. Today, government, corporate, and nonprofit clients around the world partner with us to transform increasingly complex information into useful knowledge.

For over 80 years, NORC has evolved in many ways, moving the needle with research methods, technical applications and groundbreaking research findings. But our tradition of excellence, passion for innovation, and commitment to collegiality have remained constant components of who we are as a brand, and who each of us is as a member of the NORC team. With world-class benefits, a business casual environment, and an emphasis on continuous learning, NORC is a place where people join for the stellar research and analysis work for which we're known, and stay for the relationships they form with their colleagues who take pride in the impact their work is making on a global scale.

NORC is an affirmative action, equal opportunity employer that values and actively seeks diversity in the workforce. NORC evaluates qualified applicants without regard to race, color, religion, sex, national origin, disability, status as a protected veteran, sexual orientation, gender identity, and other legally protected characteristics.