Be an early applicantLess than 25 applicants

Company

Winston & Strawn LLP · 15 hours ago

Chicago- Senior Security & Compliance Analyst

Chicago, IL

Full-time

Remote

Mid, Senior Level

$105K/yr - $120K/yr

3+ years exp

Maximize your interview chances

Law Practice

Growth Opportunities

Insider Connection @Winston & Strawn LLP

Discover valuable connections within the company who might provide insights and potential referrals.
Get 3x more responses when you reach out via email instead of LinkedIn.

Responsibilities

Develops and maintains information risk and security policies, procedures, and baseline standards. Coordinates with operations and engineering teams to drive adoption.

Supports strategic risk planning and budgeting activities. Assists with identifying and prioritizing risk remediation projects.

Measures and monitors the progress of security compliance initiatives, metrics, and key performance indicators (KPIs).Assists in preparing and communicating status to firm leadership.

Performs risk assessments of new technology solutions to identify potential privacy and information security risks. Coordinates with relevant project sponsors to report on issues and identify opportunities for risk mitigation.

Perform third-party vendor security risk assessments for new and monitor security performance of existing vendors. Manage the distribution of third-party risk assessment questionnaires (e.g., SIG) and track compliance with security expectations.

Supports Conflicts and Business Development teams by reviewing security requirements in client engagement letters, outside counsel guidelines, and RFPs for alignment with established firm standards.

Facilitates and coordinates responses to client security inquiries, questionnaires, and assessment requests. Tracks and coordinates identified issues through resolution.

Performs and coordinates ongoing security reviews and assessments to measure and validate internal control effectiveness (e.g., network penetration testing, red team assessments, process maturity reviews, technology gap assessments).

Manages and maintains internal GRC tooling, control frameworks, and security artifacts and evidence.

Leads and supports internal security awareness and training efforts and campaigns (e.g., developing annual training materials, conducting phishing exercises, evangelizing security awareness in ad-hoc presentations).

Leads internal ISO 27001 compliance activities (e.g., ISMS management reviews, internal audits, risk assessments). Coordinates and liaises annual certification and surveillance audits.

Identifies potential security threats and vulnerabilities through threat feeds, vulnerabilities scans, and other mechanisms. Coordinates the timely resolution of vulnerabilities with relevant business and engineering stakeholders.

Participates in incident response tabletops, business continuity tests, and other compliance activities and exercises.

Supports and assists with various security projects (e.g., program enhancements, process improvements, security tool implementations).

Qualification

Find out how your skills align with this job's requirements. If anything seems off, you can easily click on the tags to select or unselect skills to reflect your actual expertise.

Information SecurityCompliance (GRC)ISO 27001NISTGDPRCCPACISSPCISANetwork SecurityCloud PlatformsEndpoint ManagementIdentity ManagementAccess ControlsEncryptionSegmentationThreat ManagementVulnerability Management

Required

Bachelor’s degree in information security, information technology, computer science, or related field required.

3 + years of experience in two or more domains of information security, risk and compliance (GRC), or IT audit required.

This role is fully remote and must reside in a commutable distance to the local applicable office.

Preferred

Broad knowledge and experience with fundamental security processes and associated controls.

Deep knowledge of and experience working with leading information security standards (e.g., NIST, ISO 27001) and relevant privacy regulations (e.g., GDPR, CCPA, HIPAA).

Experience in professional services, consulting, or client-facing role is a plus.

Relevant security certifications (e.g., CISSP, CISA) are a plus.