Senior Data Protection Governance Analyst
The Depository Trust & Clearing Corporation (DTCC) · Jersey City, NJ · 3 wk ago
EngineeringFull-time
About the role
The Information Technology group at DTCC delivers secure, reliable technology solutions that enable the global capital markets. This role sits within the first line of defense, ensuring that management reporting, audit evidence, and risk narratives accurately reflect how data protection controls operate in practice.
Responsibilities
- Data Protection Program Governance: Own day-to-day governance activities for the Data Protection Program, ensuring alignment with DTCC control standards, regulatory expectations, and enterprise risk frameworks. Maintain authoritative program artifacts, including control inventories and control mappings, operating procedures and governance documentation, and centralized repositories for evidence and program records. Manage policy review cycles, control attestations, and exception tracking related to data protection obligations.
- Operational Procedures & Runbooks: Develop, maintain, and govern standard operating procedures (SOPs) and runbooks supporting data protection activities, including alert triage and escalation, exception handling and approvals, remediation tracking and validation. Ensure procedures are current, consistently applied, and aligned with how controls operate in production. Coordinate updates following control changes, incidents, or audit findings.
- Exception & Issue Management: Own centralized tracking of data protection exceptions, issues, and management actions arising from operational constraints, business requests, audit or regulatory findings. Manage exception intake, documentation, approvals, and periodic review to ensure items remain time-bound and risk-appropriate. Validate remediation actions with Engineering and Operations teams and track issues through closure.
- Audit & Evidence Pack Development: Serve as a primary first-line coordinator for data protection-related audits and reviews. Develop and maintain audit-ready evidence packs, including control design descriptions, operating procedures, metrics and effectiveness evidence, exception and remediation records. Ensure evidence is complete, consistent, version-controlled, and defensible.
- Metrics, Reporting & Risk Articulation: Own production of operational, management-level, and executive-level reporting on data protection effectiveness and risk posture. Translate technical control signals into clear, decision-useful risk narratives. Ensure metrics are consistent, repeatable, and aligned to enterprise data risk reporting standards.
- Audit, Risk & Regulatory Engagement: Serve as a first-line point of contact for Internal Audit, second-line Risk, and regulatory examinations related to data protection. Coordinate collection, validation, and presentation of audit-quality evidence. Track audit issues, management actions, and remediation commitments through to closure.
- Cross-Functional Coordination: Act as a governance liaison across Data Protection Engineering & Operations (first line), Data Risk Management and Technology Risk (second line), Privacy, Legal, and Cyber Governance teams. Ensure alignment between technical protection outcomes and broader enterprise data risk narratives. Program Maturity & Continuous Improvement: Identify opportunities to strengthen governance processes, reporting quality, and evidence consistency. Support scaling of governance as new capabilities are introduced (e.g., expanded DSPM coverage, AI data controls).
- Technical Control Understanding & Oversight: Maintain a strong working understanding of Data Loss Prevention (DLP) across email, endpoint, web, SaaS, and AI environments, data classification and labeling models, Data Security Posture Management (DSPM), CASB, and AI proxy enforcement patterns. Partner with Engineering and Operations teams to understand control intent, dependencies, and limitations, validate that reporting reflects real-world control behavior, identify gaps between control design, deployment, and outcomes.
Qualifications
- 5–8+ years of experience in cybersecurity governance, technology risk, compliance, audit support, or data protection programs within a regulated environment.
- Bachelor’s degree preferred or equivalent practical experience.
Skills
- Strong analytical, documentation, and executive-level communication skills, with the ability to distill complex technical concepts into clear, decision-ready narratives.
- Proven ability to understand, govern, and effectively challenge technical security controls without serving in a direct hands-on engineering capacity.
- Experienced in engaging with Internal Audit, second-line risk functions, and/or regulatory stakeholders.
- Current knowledge of data protection, security governance, and evolving risk and regulatory expectations.
- Builds and sustains trusted partnerships across engineering, risk, compliance, and governance teams.
- Communicates clearly and confidently with both technical and non-technical stakeholders.
Benefits
- Competitive compensation, including base pay and annual incentive.
- Comprehensive health and life insurance and well-being benefits, based on location.
- Pension / Retirement benefits.
- Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.
- A flexible/hybrid model of 3 days onsite and 2 days remote (onsite Tuesdays, Wednesdays and a third day unique to each team or employee).