Jobs · Information Technology · Florida

IT Enterprise Risk Analyst

Holland & Knight LLP · Tampa, FL · 3 wk ago
Information TechnologyFull-time

About the role

We are seeking an IT Enterprise Risk Analyst to join our team. The role is based in the Firm's global operations center in Tampa, FL.

Responsibilities

  • Support the development, review, and maintenance of information security and technology risk policies, standards, procedures, and guidance documents.
  • Maintain the policy lifecycle process, including stakeholder reviews, approvals, publication, periodic review schedules, and version control.
  • Map policies/standards to ISO, NIST, CIS Controls, SOC 2, HIPAA, GLBA, U.S. state privacy laws, and EU requirements, and to applicable client Outside Counsel Guidelines and contractual security addenda; maintain crosswalks and control documentation to support audit readiness.
  • Administer policy exception and risk acceptance of workflows, ensuring justification, compensating controls, approvals, and defined expiration/renewal dates.
  • Contribute to awareness materials and operational guidance to promote consistent implementation of requirements.
  • Help maintain controls supporting ethical walls / information barriers, matter-level access restrictions, and legal hold obligations, under the direction of the Senior Analyst and in partnership with the Office of the General Counsel, Conflicts, and Records & Information Governance.
  • Conduct or facilitate risk assessments for applications, infrastructure, cloud services, Firm-critical legal-industry platforms (document management, time and billing, conflicts and new business intake, eDiscovery, and matter management), and key business processes; document risk statements, likelihood/impact, and control effectiveness.
  • Maintain and update the risk register, including inherent and residual ratings, treatment plans, owners, milestones, and status updates.
  • Partner with control owners to identify remediation actions, track progress, and validate closure with appropriate evidence.
  • Support ongoing risk monitoring through key risk indicators (KRIs) and control health metrics, including indicators relevant to the legal sector (e.g., business email compromise and wire-fraud schemes, ransomware targeting law firms, and client-confidential data exposure).
  • Draft and contribute to risk reporting and summaries for governance forums under the direction of the IT Enterprise Risk Management Manager, including content packaged for Firm leadership and Firm Management Committee audiences.
  • Support incident response activities by gathering control and risk evidence, contributing to post-incident lessons learned, and helping ensure resulting control improvements are tracked in the risk register.
  • Perform third party security due diligence based on vendor criticality and risk tiering (including third-industry parties such as co-counsel and local counsel, eDiscovery and document review providers, expert witnesses, court reporters and translators, legal-technology SaaS vendors, and managed-service providers handling client matter data); coordinate security questionnaires and evidence collection.
  • Review assurance artifacts such as SOC reports, ISO certificates, penetration test summaries, security whitepapers, and privacy/security attestations.
  • Identify gaps, document findings, recommend remediation/compensating controls, and track vendor action plans to closure.
  • Support periodic vendor reassessments and reassessments triggered by scope changes, incidents, or material updates.
  • Draft initial responses to inbound client security questionnaires and Outside Counsel Guideline (OCG) inquiries for Senior Analyst review; help maintain a controlled answer library and partner with the engagement attorney and Loss Prevention on follow-ups.
  • Support internal and external audits by coordinating evidence collection, control walkthroughs, and timely responses to audit requests.
  • Aid in gap assessments and control testing against ISO 27001/27002, NIST CSF / SP 800-53 / 800-171, CIS Controls, SOC 2 Trust Services Criteria, GLBA Safeguards Rule, and HIPAA requirements.
  • Track audit findings, corrective action plans (CAPs), and management responses; monitor remediation progress and validate closure evidence.
  • Maintain audit artifacts including control matrices, evidence inventories, and standardized templates to improve repeatability and audit readiness.
  • Help compile control attestations and evidence packages for the Firm’s annual cyber insurance application and renewal cycle, supporting responses to underwriter and broker inquiries under senior oversight.

Qualifications

  • Strong written and verbal communication skills; ability to translate control requirements into clear documentation and actionable guidance.
  • Strong organizational skills and attention to detail.
  • Ability to manage multiple priorities and deadlines.
  • Knowledge or ability to learn Microsoft Office Suite, or Microsoft 365.

Required Qualifications & Education

  • Bachelor’s degree in information security, Information Technology, Risk Management, Business, or equivalent practical experience.
  • 3+ years of experience in GRC, information security, technology risk management, compliance, internal audit, or third-party risk management.
  • Familiarity with ISO/IEC 27000 Family concepts, NIST CSF/SP 800-53/800-171, and HIPAA.
  • Familiarity with EU information security and privacy requirements (e.g., GDPR security principles); familiarity with NIS2 is a plus where relevant.
  • Experience collecting, organizing, and validating control evidence and supporting audits/assessments.
  • Certifications - ISACA: CRISC (Certified in Risk and Information Systems Control) and/or CISA (Certified Information Systems Auditor).

Preferred Qualifications & Education

  • Prior exposure to GRC, IT risk, or information security work in a law firm, professional services firm, or other client-confidential environment is preferred.
  • Familiarity with legal-industry technology (document management such as iManage or NetDocuments; time and billing such as 3E or Aderant; conflicts and new business intake such as Intapp; eDiscovery platforms such as Relativity) and with the data-sensitivity considerations they raise is a plus.
  • Awareness of the ABA Model Rules of Professional Conduct (in particular Rules 1.1 and 1.6) and applicable state bar requirements relating to technology competence and client confidentiality is preferred.
  • Familiarity with Controlled Unclassified Information (CUI) handling, NIST SP 800-171, CMMC, and ITAR/EAR data-handling concepts; prior exposure to federal, defense, or government-contracts client matters is a plus.
  • Certifications –ISACA: COBIT Foundation, CDPSE, or CGEIT as applicable to governance, privacy, and enterprise risk responsibilities ISO/IEC 27001 Internal Auditor, Lead Implementer, or Lead Auditor.
  • Cloud and platform risk certifications such as Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900), Azure Security Engineer Associate (AZ-500), or similar.

Benefits

Comprehensive medical (PPO and HDHPs), dental and vision plans including coverage for domestic partners; life and AD&D insurance; short and long term disability insurance; tax-advantaged accounts for health care expenses, including FSAs and HSAs; FSAs for dependent care; health advocacy services; behavioral health and counseling resources for all family members; 401(k); profit sharing; backup dependent care; senior care planning support; resources for individuals with development disabilities and their caregivers; and paid holidays and other paid time off, including paid leave for new parents.

Similar jobs