IT Risk & Compliance Specialist (Hybrid Schedule)

HHMI is focused on supporting and moving science forward in a variety of different ways ranging from conducting basic biomedical research, empowering educators, inspiring students, developing the next generation of scientists - even stretching into film and media production. Our Headquarters is in the greater Washington, DC metro area and is home to over 300 employees with expertise in investments, communications, digital production, biomedical sciences, and everything in between. The work housed here supports and augments the groundbreaking research conducted in HHMI labs across the nation. As HHMI scientists continue to push boundaries in laboratories and classrooms, you can be sure that your contributions while working here are making a difference.

Summary:

As our IT Risk & Compliance Specialist, you will join our Business Solutions department and play an integral role in helping us to formalize and maintain a standardized IT risk management framework. You will be responsible for assessing IT practices and controls to ensure systems and processes function efficiently and effectively, remain in compliance with relevant organizational policies, procedures, laws, and regulations, and provide for adequate protection of Institute assets based on risk-based profiles.

Working in a collaborative environment, your duties will include evaluating internal IT processes to identify potential threats and weaknesses, reporting findings to leadership, and recommending solutions/measures to improve data integrity and protection, security, business continuity preparedness, and IT risk management. To be successful in this critical position, you will need to take initiative and exercise independent judgment while managing multiple priorities, projects, and balancing stakeholders.

Under the direction of our Enterprise Solutions Architect, you will work in this newly-created position under a hybrid model at our headquarters campus in Chevy Chase, MD.

In this role, you will:

• Support the Business Solutions/IT Services management team in implementing standardized IT risk management practices that provide ongoing visibility into key areas of risk.

• Support the effective execution of the risk management framework by establishing and managing relationships with key stakeholders within Business Solutions Capability Teams and IT Services.

• Liaise with HHMI's Risk & Compliance Director and Manager, Enterprise Governance & Controls to maintain a shared awareness of Business Solutions' risk management plan/efforts and avoid duplication of efforts across areas of responsibility.

• Conduct internal risk assessments and control audits of IT systems and processes with emphasis on the following key areas:

  • IT Security Management - Assess compliance with documented security policies and procedures, support measures to validate the adequacy of security control environments of third-party software and infrastructure service providers, and monitor the remediation of risks/vulnerabilities identified through external security assessments.

  • Incident Management - Assess the adequacy of processes to identify, document, evaluate, communicate, and resolve reported security incidents and breaches.

  • IT Asset Management - Assess the adequacy of controls over the Institute's technology assets.

  • Data Management - Assess the adequacy of solutions and controls in place to classify and protect the Institute's data assets based on defined risk profiles.

  • Business Continuity Management - Validate that recovery plans for all business and infrastructure systems are maintained up to date and that appropriate testing is performed on a regular basis to ensure IT business continuity preparedness.

  • Regulatory Compliance - Maintain an awareness of regulatory compliance obligations that impact security controls over the Institute's systems and data and assist in evaluating compliance with applicable regulations.

  • IT Change Control - Ensure that system and infrastructure changes are adequately documented, properly authorized, and managed in a standard, controlled manner.

• Effectively communicate key risks, findings, and recommendations for improvement to key stakeholders.

• Prepare reports to management communicating the results of the work performed, recommend management action plans, and perform follow-up to validate completion of action plans.

• Assist in the development and ongoing maintenance of IT risk registers, working closely with technical teams to help identify risks/issues and develop remediation plans and mitigation strategies

• Monitor, track, and report on the mitigation and resolution of IT risks, routinely updating management on outstanding issues and risks.

Education & Experience:

• Bachelor's degree in Computer Science, Information Technology, or related technical degree or a combination of education and related experience

• Master's degree a plus

• Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), or Certified Information Systems Security Professional (CISSP) preferred

• Minimum of seven years of relevant experience in IT risk management, internal controls, and information systems auditing

• Demonstrated expertise in IT risk management functions, including IT audit and governance practices

• Familiarity with cybersecurity frameworks and practices, such as NIST CSF

• Experience working remotely in virtual teams.

Skills & Abilities:

• Strong knowledge of IT organization business processes and systems, including IT security, data management, architecture and planning, technology life cycle management, and regulatory concerns.

• Must be highly self-motivated and self-directed with a proven track record of working both independently and in team settings.

• Must be skilled in working collaboratively and effectively with employees at all levels of the organization with the ability to influence others.

• Comfortable with driving conversations with teams with varied backgrounds and purposes.

• Strong communication and active listening skills; ability to clearly articulate messages to a variety of audiences in writing and verbally

• Highly organized with strong attention to detail.

• Excellent time-management skills and able to handle projects and responsibilities with competing priorities.

• Must function as a technical and subject matter expert with strong analytical and problem-solving skills.

• Strong knowledge of systems management principles.

• Flexible and adaptable; able to work in ambiguous situations.

• Acute business acumen and understanding of organizational culture, issues, and challenges.

• Ability to conduct research into IT security issues and products as required.

• Strong proficiency in Microsoft Office suite, especially Teams, Excel, and PowerPoint.

Physical Requirements:

Remaining in a normal seated or standing position for extended periods of time; reaching and grasping by extending hand(s) or arm(s); dexterity to manipulate objects with fingers, for example using a keyboard; communication skills using the spoken word; ability to see and hear within normal parameters; ability to move about workspace. The position requires mobility, including the ability to move materials weighing up to several pounds (such as a laptop computer or tablet).

Persons with disabilities may be able to perform the essential duties of this position with reasonable accommodation. Requests for reasonable accommodation will be evaluated on an individual basis.

Please Note:

This job description sets forth the job's principal duties, responsibilities, and requirements; it should not be construed as an exhaustive statement, however. Unless they begin with the word "may," the Essential Duties and Responsibilities described above are "essential functions" of the job, as defined by the Americans with Disabilities Act.