IS Security Risk & Compliance Analyst

Date: Apr 10, 2021

Office Location: Home Office/Remote, -, US

Company: Aptar Group

IS Security Risk & Compliance Analyst

Reports to: Director, Cybersecurity & Architecture

Location: any Aptar location globally

(International relocation not available for this position; all candidates must reside and be authorized to work in a country in which Aptar has an existing legal entity)


Position Summary



The Information Security Risk & Compliance Analyst is a critical position within Aptar’s Global Information Security team, and has governance, risk assessment, and compliance responsibilities from a technology and security perspective across the organization globally. This individual will be directly responsible for implementing, maintaining, and improving policies, procedures, standards and guidelines to assure compliance with applicable regulatory and legal requirements as well as security best practices.

The Information Security Risk & Compliance Analyst will drive security risk analysis, design controls, and implement industry best practice processes for teams and technologies across the organization. In addition to driving continuous improvement in this space, the Analyst will lead efforts in the areas of information security governance/policy, security risk management, data protection, software security, incident response, awareness and education, and compliance with standards and regulations such as NIST, ISO, SOX, FAR, GDPR, and HIPAA.


Job Elements & Position Responsibilities



  • Develop and maintain Information Security policies, standards, and guidelines
  • Responsible for implementing and maintaining procedures and controls to assure compliance with applicable regulatory, contractual, and legal requirements as well as good business practices
  • Operationalize various Information Security governance functions, such as security risk management, compliance management, policy management, third party risk management (IT Cloud Service Providers & Supply Chain Risk), software security, and metrics and reporting
  • Conduct and Manage 3rd party risk assessments (IT Vendors, Managed Service Providers, etc.)
  • Conduct and manage internal risk reviews of new or existing infrastructure and applications
  • Follow-up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal/external audits to ensure that appropriate remediation measures have been taken
  • Work closely with business, technology, and compliance counterparts to understand business objectives, initiatives, and ensure alignment with Information Security policies and best practices
  • Operationalize metrics and reporting functions to continually report on meaningful Information Security risk and compliance metrics for operational and executive management (KPIs/KRIs)
  • Assist with the development of security training materials and other communications to increase employee and contractor understanding of company security policies, data handling practices and procedures and legal obligations
  • Provides oversight and project management of various internal and external audits, risk/control assessment engagements, penetration testing exercises, and customer / supplier audits
  • Facilitate Disaster Recovery/Business Continuity exercises and Computer Security Incident Response Testing (CSIRT)
  • Assist in the development of security strategies and roadmap initiatives
  • Other duties as assigned by management



Required Qualifications



  • Bachelor’s degree in Information Systems, Information Security, or other related discipline
  • 6 or more years' relevant industry experience with minimum 4 years' recent experience in information security, risk, governance &/or compliance roles.
  • Experience working in information security governance, with a broad understanding of a range of enterprise IT architectures (e.g., web applications, databases, operating systems, server infrastructure, mobile devices, and networking technologies)
  • Understanding of security functions including secure change management, secure SDLC, software/application security, identity and access management, supplier security risk management, patch and vulnerability management and security controls testing and validation
  • Ability to recommend and manage the implementation of IT controls for compliance with relevant industry regulations and standards (including NIST, ISO 27001, NIST, FAR, GDPR, HIPAA, and Sarbanes-Oxley)
  • Proven experience in the assessment of internal controls and communicating findings and recommendations to others clearly and accurately in non-technical terms is required
  • Experience performing and managing security risk assessments against information security policies, standards, or frameworks
  • Ability to translate technical information security risk findings and articulate them in business terms to non-technical stakeholders
  • Understanding of international privacy and data protection regulations, such as GDPR
  • At least one of the following industry certifications is preferred:
    • Certified Information Systems Auditor (CISA)
    • Certification Information Security Manager (CISM)
    • Certified Information Systems Security Professional (CISSP)
  • Superior writing and editing skills with the ability to construct well-founded, clear, and concise analyses and recommendations
  • Experience managing complex programs and projects
  • Must be fluent in English