IT Enterprise Risk Analyst

IT Enterprise Risk Analyst

We are a Firm where people truly believe in what they do and strive to achieve the highest standards of performance and success.

This position is based in the Firm's global operations center in Tampa, FL.

We are seeking an IT Enterprise Risk Analyst to join our team. The IT Risk Analyst helps manage the Firm's GRC and IT risk programs, focusing on information security for client data, attorney work, and privileged communications. Reporting to the IT Enterprise Risk Management Manager, the role maintains policies, assesses risks and controls, coordinates third-party reviews, drafts responses for client guidelines, prepares evidence for cyber insurance, and supports audits.

Key Responsibilities and Essential Job Functions:

• Policy, Standards and Governance
  • Support the development, review, and maintenance of information security and technology risk policies, standards, procedures, and guidance documents.
  • Maintain the policy lifecycle process, including stakeholder reviews, approvals, publication, periodic review schedules, and version control.
  • Map policies/standards to ISO, NIST, CIS Controls, SOC 2, HIPAA, GLBA, U.S. state privacy laws, and EU requirements, and to applicable client Outside Counsel Guidelines and contractual security addenda; maintain crosswalks and control documentation to support audit readiness.
  • Administer policy exception and risk acceptance of workflows, ensuring justification, compensating controls, approvals, and defined expiration/renewal dates.
  • Contribute to awareness materials and operational guidance to promote consistent implementation of requirements.
  • Help maintain controls supporting ethical walls / information barriers, matter-level access restrictions, and legal hold obligations, under the direction of the Senior Analyst and in partnership with the Office of the General Counsel, Conflicts, and Records & Information Governance.
  • Maintain awareness of the Firm's professional responsibility obligations, including ABA Model Rules 1.1 (technology competence) and 1.6 (confidentiality of information), and apply that awareness to policy implementation and control activities.
• Information Security and Technology Risk Management
  • Conduct or facilitate risk assessments for applications, infrastructure, cloud services, Firm-critical legal-industry platforms (document management, time and billing, conflicts and new business intake, eDiscovery, and matter management), and key business processes; document risk statements, likelihood/impact, and control effectiveness.
  • Maintain and update the risk register, including inherent and residual ratings, treatment plans, owners, milestones, and status updates.
  • Partner with control owners to identify remediation actions, track progress, and validate closure with appropriate evidence.
  • Support ongoing risk monitoring through key risk indicators (KRIs) and control health metrics, including indicators relevant to the legal sector (e.g., business email compromise and wire-fraud schemes, ransomware targeting law firms, and client-confidential data exposure).
  • Draft and contribute to risk reporting and summaries for governance forums under the direction of the IT Enterprise Risk Management Manager, including content packaged for Firm leadership and Firm Management Committee audiences.
  • Support incident response activities by gathering control and risk evidence, contributing to post-incident lessons learned, and helping ensure resulting control improvements are tracked in the risk register.
• Vendor/Third Party Risk Management (TPRM)
  • Perform third party security due diligence based on vendor criticality and risk tiering (including third-industry parties such as co-counsel and local counsel, eDiscovery and document review providers, expert witnesses, court reporters and translators, legal-technology SaaS vendors, and managed-service providers handling client matter data); coordinate security questionnaires and evidence collection.
  • Review assurance artifacts such as SOC reports, ISO certificates, penetration test summaries, security whitepapers, and privacy/security attestations.
  • Identify gaps, document findings, recommend remediation/compensating controls, and track vendor action plans to closure.
  • Partner with Procurement/Legal to ensure contracts include appropriate security and privacy requirements (e.g., breach notification, subcontractor controls, right-to-assess, data processing terms, and data residency as applicable).
  • Support periodic vendor reassessments and reassessments triggered by scope changes, incidents, or material updates.
  • Draft initial responses to inbound client security questionnaires and Outside Counsel Guideline (OCG) inquiries for Senior Analyst review; help maintain a controlled answer library and partner with the engagement attorney and Loss Prevention on follow-ups.
• Audit, Assurance and Compliance (ISO / NIST / CIS / SOC 2 / HIPAA / GLBA / EU)
  • Support internal and external audits by coordinating evidence collection, control walkthroughs, and timely responses to audit requests.
  • Assist with gap assessments and control testing against ISO 27001/27002, NIST CSF / SP 800-53 / 800-171, CIS Controls, SOC 2 Trust Services Criteria, GLBA Safeguards Rule, and HIPAA requirements.
  • Support EU-aligned compliance activities where applicable (e.g., GDPR security measures and accountability documentation; NIS2-aligned operational practices).
  • Track audit findings, corrective action plans (CAPs), and management responses; monitor remediation progress and validate closure evidence.
  • Maintain audit artifacts including control matrices, evidence inventories, and standardized templates to improve repeatability and audit readiness.
  • Support control activities related to handling Controlled Unclassified Information (CUI) and other regulated client data for the Firm's federal, defense, aerospace, and government-contracts practices, including evidence gathering and documentation aligned with NIST SP 800-171, CMMC Level 2 readiness, and ITAR/EAR data-handling requirements, under the direction of the Senior Analyst.
  • Help compile control attestations and evidence packages for the Firm's annual cyber insurance application and renewal cycle, supporting responses to underwriter and broker inquiries under senior oversight.
• Expected to maintain a regular and predictable work schedule and full attention to and engagement in work activities on behalf of the firm during business hours unless otherwise approved or required by applicable law.
• Special projects and duties as assigned.

Required Skills:

• Strong written and verbal communication skills; ability to translate control requirements into clear documentation and actionable guidance.
• Strong organizational skills and attention to detail.
• Ability to manage multiple priorities and deadlines.
• Knowledge or ability to learn Microsoft Office Suite, or Microsoft 365.

Required Qualifications & Education:

• Bachelor's degree in information security, Information Technology, Risk Management, Business, or equivalent practical experience.
• 3+ years of experience in GRC, information security, technology risk management, compliance, internal audit, or third-party risk management.
• Working knowledge of ISO/IEC 27000 Family concepts, NIST CSF/SP 800-53/800-171, and HIPAA.
• Familiarity with EU information security and privacy requirements (e.g., GDPR security principles); familiarity with NIS2 is a plus where relevant.
• Experience collecting, organizing, and validating control evidence and supporting audits/assessments.

• Certifications - ISACA: CRISC (Certified in Risk and Information Systems Control) and/or CISA (Certified Information Systems Auditor).

Preferred Qualifications & Education:

• Prior exposure to GRC, IT risk, or information security work in a law firm, professional services firm, or other client-confidential environment is preferred.
• Familiarity with legal-industry technology (document management such as iManage or NetDocuments; time and billing such as 3E or Aderant; conflicts and new business intake such as Intapp; eDiscovery platforms such as Relativity) and with the data-sensitivity considerations they raise is a plus.
• Awareness of the ABA Model Rules of Professional Conduct (in particular Rules 1.1 and 1.6) and applicable state bar requirements relating to technology competence and client confidentiality is preferred.
• Familiarity with Controlled Unclassified Information (CUI) handling, NIST SP 800-171, CMMC, and ITAR/EAR data-handling concepts; prior exposure to federal, defense, or government-contracts client matters is a plus.
• Certifications –
  • ISACA: COBIT Foundation, CD