IT Enterprise Risk Analyst

Benefits

Additional Information

We are a Firm where people truly believe in what they do and strive to achieve the highest standards of performance and success. This position is based in the Firm's global operations center in Tampa, FL. General Description: We are seeking an IT Enterprise Risk Analyst to join our team. The IT Risk Analyst helps manage the Firm's GRC and IT risk programs, focusing on information security for client data, attorney work, and privileged communications. Reporting to the IT Enterprise Risk Management Manager, the role maintains policies, assesses risks and controls, coordinates third-party reviews, drafts responses for client guidelines, prepares evidence for cyber insurance, and supports audits. Responsibilities align with ISO/IEC 27001/27002, NIST CSF, CIS Controls, SOC 2, HIPAA, GLBA, GDPR, and state privacy laws (e.g., CCPA/CPRA). Key Responsibilities and Essential Job Functions: Policy, Standards and Governance Support the development, review, and maintenance of information security and technology risk policies, standards, procedures, and guidance documents. Maintain the policy lifecycle process, including stakeholder reviews, approvals, publication, periodic review schedules, and version control. Map policies/standards to ISO, NIST, CIS Controls, SOC 2, HIPAA, GLBA, U.S. state privacy laws, and EU requirements, and to applicable client Outside Counsel Guidelines and contractual security addenda; maintain crosswalks and control documentation to support audit readiness. Administer policy exception and risk acceptance of workflows, ensuring justification, compensating controls, approvals, and defined expiration/renewal dates. Contribute to awareness materials and operational guidance to promote consistent implementation of requirements. Help maintain controls supporting ethical walls / information barriers, matter-level access restrictions, and legal hold obligations, under the direction of the Senior Analyst and in partnership with the Office of the General Counsel, Conflicts, and Records & Information Governance. Maintain awareness of the Firm's professional responsibility obligations, including ABA Model Rules 1.1 (technology competence) and 1.6 (confidentiality of information), and apply that awareness to policy implementation and control activities. Information Security and Technology Risk Management Conduct or facilitate risk assessments for applications, infrastructure, cloud services, Firm-critical legal-industry platforms (document management, time and billing, conflicts and new business intake, eDiscovery, and matter management), and key business processes; document risk statements, likelihood/impact, and control effectiveness. Maintain and update the risk register, including inherent and residual ratings, treatment plans, owners, milestones, and status updates. Partner with control owners to identify remediation actions, track progress, and validate closure with appropriate evidence. Support ongoing risk monitoring through key risk indicators (KRIs) and control health metrics, including indicators relevant to the legal sector (e.g., business email compromise and wire-fraud schemes, ransomware targeting law firms, and client-confidential data exposure). Draft and contribute to risk reporting and summaries for governance forums under the direction of the IT Enterprise Risk Management Manager, including content packaged for Firm leadership and Firm Management Committee audiences. Support incident response activities by gathering control and risk evidence, contributing to post-incident lessons learned, and helping ensure resulting control improvements are tracked in the risk register. Vendor/Third Party Risk Management (TPRM) Perform third party security due diligence based on vendor criticality and risk tiering (including third-industry parties such as co-counsel and local counsel, eDiscovery and document review providers, expert witnesses, court reporters and translators, legal-technology SaaS vendors, and managed-service providers handling client matter data); coordinate security questionnaires and evidence collection. Review assurance artifacts such as SOC reports, ISO certificates, penetration test summaries, security whitepapers, and privacy/security attestations. Identify gaps, document findings, recommend remediation/compensating controls, and track vendor action plans to closure. Partner with Procurement/Legal to ensure contracts include appropriate security and privacy requirements (e.g., breach notification, subcontractor controls, right-to-assess, data processing terms, and data residency as applicable). Support periodic vendor reassessments and reassessments triggered by scope changes, incidents, or material updates. Draft initial responses to inbound client security questionnaires and Outside Counsel Guideline (OCG) inquiries for Senior Analyst review; help maintain a controlled answer library and partner with the engagement attorney and Loss Prevention on follow-ups. Audit, Assura

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at hklaw? Share your experience