Compliance & Risk Analyst IT (Varies)

Title: Compliance & Risk Analyst IT (Varies) 
Company: Tampa Electric Company 
State and City: Florida - Ybor City
Shift: 8 Hr. X 5 Days

TITLE:  Compliance & Risk Analyst I
POSITION CONCEPT
Under general supervision, carries out procedures to ensure all information systems products and services meet IT&T organization standards and compliance obligations, including regulatory requirements, contractual requirements, and Emera requirements. Analyst is primarily responsible for the maintenance, training, assurance, monitoring and reporting of all IT standards and procedures, as well as IT&T related regulatory requirements for the TSI IT&T Department and individual business units as applicable.

PRIMARY DUTIES AND RESPONSIBILITIES 

• Policies, standards, and processes: Analyzes best-in-class processes including IT Information Library (ITIL), National Institute of Standards and Technology (NIST) standards, and COBIT, and keeps current on all regulatory and compliance issues relating to Information Technology. Responsible for maintaining all IT standards, procedures and policies.  Maintains internal desk-level procedures.  [15%]
• Assurance and Information Management: Ensures that quality methods and procedures are executed by the IT department to stay in compliance with regulatory requirements, e.g., NERC Critical Infrastructure Protection (CIP), Sarbanes-Oxley (SOX), contractual requirements (e.g., Payment Card Industry (PCI) Data Security Standards (DSS), Defense Federal Acquisition Regulation System (DFARS) requirements, internal requirements, e.g., Emera, voluntary requirements, e.g. America Gas Association commitment to Department of Homeland Security (DHS) Transportation Safety Administration (TSA) Pipeline Security Guidelines, and customer requirements. Manages compliance related information and documentation consistent with retention requirements. Support collection, review and approval of compliance-related data. Facilitates and tracks deliverables for root cause analysis, compliance reporting, technical feasibility exceptions, and NERC Alerts. 
• Controls & Monitoring: Administers the IT Compliance Management Systems and Governance, Risk, and Compliance (GRC) tool(s). Collect and sample evidence to support demonstration of compliance. Escalates out of compliance items to senior management.  Participate in the implementation of technology-based tools (e.g. GRC) to support IT risk initiatives. Additionally, analyst adheres to company confidentiality and security requirements. 
• Reporting: Documents all quality problems and compliance issues, and assists in their resolution. Performs quality audits across various IT&T functions to ensure quality standards, procedures, and methodologies are being followed. Monitors and reports on exceptions, risks and exposures to IT senior management.  
• Training and Communications: Develops and delivers quality process training to technical staff and acts as an internal quality consultant to facilitate business or technical partners on the use of the IT standards and procedures.  
• Performance Management: Establishes and administers activities of performance analysis (e.g., metrics) within assigned area(s) of responsibility.  

QUALIFICATIONS

Education

Required:     Bachelor’s degree in Computer Science, Information Systems or a related field with a minimum three (3) years of experience in an information technology, audit or utility business.

OR Associates Degree with a minimum five (5) years of experience in an information technology, audit or utility business

OR Valid high school diploma or GED with a minimum seven (7) years of experience in an information technology, audit or utility business may be considered in lieu of a 4 year degree

Preferred:     Two (2) years of direct IT Audit or Controls experience strongly preferred.  Four (4) year degree in Computer Science, Information Systems, or related information technology discipline strongly preferred.

Licensing/Certification

Required:     Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position.

Preferred:     Current ITIL Certification.  Certified Information Systems Auditor (CISA) or related certifications.

Related Experience

Required:     Minimum of 3 years experience in an information technology, audit, or utility business environment is required. 

Preferred:     2 years IT experience, especially security or network technologies, IT audit.

Knowledge/Skills/Abilities

Required:    Excellent writing skills for creating IT-related compliance documents.  An extensive knowledge and understanding of IT regulatory standards and control frameworks.  Ability to apply regulatory requirements within all aspects of the IT Department.  Demonstrates the ability to work with all levels of team members throughout the company.  

Preferred:    Knowledge of Utility IT regulations.  Knowledge of Sharepoint document management and workflow.

TITLE: Compliance & Risk Analyst II

POSITION CONCEPT

• Under general supervision, carries out procedures to ensure all information systems and services meet IT & T organization standards and compliance obligations, including regulatory requirements, contractual requirements, and Emera requirements. The Compliance & Risk Analyst II is primarily responsible for audit readiness, compliance issue investigation and reporting, compliance information management, and controls/monitoring for multiple stakeholder sets.  Advises to IT projects to ensure appropriate compliance posture.  Acts as subject matter expert for certain compliance obligations.

PRIMARY DUTIES AND RESPONSIBILITIES (in addition to those of Compliance Analyst I)

• Responsible for one or more IT compliance programs (e.g., NERC CIP, PCI DSS, SOX, DFARS, Emera Cyber Security, DHS TSA Pipeline Security).  This includes facilitation of and tracking of deliverables for root cause analysis, violation reporting, technical feasibility exceptions, mitigation plan development, evidence reviews, external audit preparations, and NERC Alerts responses. Support the development of flow diagrams or other illustrations showing key steps associated with a given process or sub-process affected by applicable regulations and/or contract terms.  As needed, coordinates and facilitates technical feasibility exception audits, mitigation plan completion audits, and other audit spot checks with external auditors.  
• Policies & Procedures: Liaise with IT&T areas such as IT Security, IT Project Management Office, IT Infrastructure, Telecom, Access Administration, and affected corporate areas and business units to facilitate the evaluation, design and implementation of effective methodologies, procedures and controls to comply with new and existing regulatory requirements.  
• Controls & Monitoring: Provide independent assessment and assurance of the effectiveness and efficiency of the IT control environment. Administers and monitors the execution of TEC compliance program by sampling compliance deliverables for acceptable content and assessing risk. Utilize security tools to further sample content.   Participate in the implementation of technology-based tools (e.g. GRC) to support IT compliance and risk initiatives.

Responsible for one or more other areas within department as assigned:

a.    As needed, provides updates to Business Strategy related to cybersecurity and impact of new legislation/regulatory requirements on TEC business operations. 
b.    Risk Management: Work with technology teams and business stakeholders in the design, implementation, and optimization of IT risk assessment practices. 
c.    Policies & Procedures: 
i.    Act as ruleset liaison for assigned areas of compliance. 
ii.    Act as ruleset Subject Matter Expert (SME) for 
1.    Information Protection Program and assigned CIP compliance related to BES Cyber System Information. 
2.    NERC CIP Awareness Program.
3.    NERC CIP Training Program.
4.    NERC CIP Security Management Controls.
d.    Training & Communication:
i.    Ensure mandatory training is conducted, tracked, and recorded.
ii.    Develop and facilitate compliance training for subject matter experts.
iii.    Develops and/or provides input into IT Security awareness program. 
e.    Performance Management: Develops and coordinates the assessment of cybersecurity awareness via phishing campaigns utilizing tool.

QUALIFICATIONS
Education/Training
Required:     Bachelor’s degree in Computer Science, Information Systems or related field.  Experience may be considered in lieu of formal education. 

Licensing/Certification
Required:     Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position.
Preferred:     Current ITIL Certification.  Audit (Certified Information Systems Auditor [CISA] or security-related (Certified Information Systems Security Professional [CISSP], Certified in Risk and Information Systems Control [CRISC], Certified Information Security Manager [CISM]) certification.

Related Experience
Required:     Minimum of 5 years experience in an information technology, audit or utility business environment is required, with at least two years in an IT security, audit or other controls-based role.
Preferred:     3 – 4 years IT security, IT audit or other controls experience.    

Knowledge/Skills/Abilities
Required:    Maintains a working level knowledge of applicable regulatory requirements.  Ability to organize, document and facilitate meetings.  Good project management skills. Must be able to complete highly complex duties involving a wide variety of situations requiring considerable analytical skills, judgment and interpersonal relationships.  Ability to lead groups to consensus in a timely manner.  High tolerance for stress. 
Preferred:    Knowledge of Sharepoint document management and workflow.

 
PROGRESSION BRANCHES HERE into Lead Compliance & Risk Analyst OR Compliance & Risk Advisor
TITLE:  Lead Compliance & Risk Analyst
POSITION CONCEPT
Supervises 2-4 compliance and risk analysts. Ensures all relevant compliance obligations are met. Leads and/or monitors compliance programs for specific rulesets as needed.  Ensures roadmaps and workplans are kept up to date. Ensures audit readiness, compliance issue investigation, reporting and correction, compliance information management, integration with business, and controls/monitoring, for multiple stakeholder sets.  Advises to IT projects to ensure appropriate compliance posture. 

DUTIES AND RESPONSIBILITIES (in addition to those of Compliance Analyst II)

• Maintains Compliance and Risk Roadmap and associated workplan(s) to ensure the TECO affiliates are in compliance with IT regulatory, contractual, and Emera existing and new standards.  Assists with the IT QA and Compliance team strategy, goals development, and team communication.  Provide forecast and budget. 
• Utilizes expertise and leadership skills to manage the work of self and team members to resolve issues to ensure day-to-day activities and project goals are met.  Establishes, assigns and reviews day to day activities and long-term projects, establishes goals and objectives, trains new employees and evaluates work performance.
• Governance and Policies & Procedures: Lead and/or monitor the implementation and administration of relevant compliance programs. Leads and coordinates new regulatory requirements and other compliance obligations into the TECO (TSI, TEC, PGS, NMG) compliance management systems. Ensure integration of IT compliance obligations into IT, corporate and business policies, standards, procedures, and processes, including flow diagrams and automated reporting. 
• Risk Management: Liaises with IT Project Management Office and management to reduce risk by ensuring that relevant IT projects are allocated a compliance resource and that projects/tasks are completed within committed time and budget.
• Training and Communications: Provides training, guidance and oversees work of staff/contractors to ensure quality results. Ensure mandatory training is reported to Ethics and Compliance.  
• Controls & Monitoring:  Oversee independent assessment and assurance of the effectiveness and efficiency of the IT control environment. Administers and monitors the execution of TEC compliance program by sampling compliance deliverables for acceptable content and assessing risk. Utilize security tools to further sample content. Support internal and external audits, review applicable findings and recommendations, and implement/oversee necessary corrective and/or preventive actions.  
• Reporting & Performance Management:  Ensure compliance issues are investigated and reported to appropriate authority. Monitors activities of performance analysis (e.g., metrics). Report on status of applicable compliance programs.  

QUALIFICATIONS
Education/Training
Required:    Four (4) year degree in computer science, information systems, or other related information technology field. 
Preferred:    Master’s degree business administration, computer science, information systems, or other related information technology field. 

Licensing/Certification
Required:    Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position.  Audit (Certified Information Systems Auditor [CISA] or security-related (e.g., Certified Information Systems Security Professional [CISSP], Certified Information Security Manager [CISM]) certification. 
Preferred:    Current ITIL Certification.  Certified in Risk and Information Systems Control (CRISC).

Experience
Required:     Minimum of 7 years experience in an information technology, audit or utility business environment is required, with at least three years in an IT audit or controls based role. 
Preferred:      5+ years IT security, audit or other controls experience.

Knowledge/Skills/Abilities
Required:    Maintains an expert level knowledge of IT governance frameworks and regulatory, contractual, and internal compliance standards including NERC CIP, SOX, DFARS, DHS, Cobit, NIST Cyber Security Framework.  Provide direction and feedback to team members. Ability to lead groups to consensus.  Ability to oversee IT projects as they related to compliance.  Must be able to complete highly complex duties involving a wide variety of situations requiring considerable analytical skills, judgment and interpersonal organizational relationships.  Broad technical knowledge (e.g., infrastructure, security, change management, SDLC). Ability to train large groups on IT regulatory requirements. High tolerance for stress and managing competing priorities.
Preferred:    Negotiation skills.

#LI-SAC
 

TECO offers a competitive Benefits package!!

Competitive Salary *401k Savings plan w/ company matching * Pension plan * Paid time off* Paid Holiday time * Medical, Prescription Drug, & Dental Coverage  *Tuition Assistance Program * Employee Assistance Program * Wellness Programs * On-site Fitness Centers * Bonus Plan and more!

STORM DUTY REQUIREMENTS....Please make sure to read below!!!  Responding to storms will be considered a condition of employment.

TECO Energy and its companies serve a role in providing critical services to our community during an emergency. Team members are required to participate in the response/recovery activities related to emergencies/disasters to maintain service to our TECO Energy customers. Team members are required to work in their normal job duties or other assigned activities. Proper compensation will be made in accordance with the company's rules and procedures.

TECO Energy is proud to be an Equal Opportunity Employer.

TECO Energy is an Equal Opportunity/Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, age, disability status, veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by law, except where physical or mental abilities are a bona fide occupational requirement and the individual is unable to perform the essential functions of the position with reasonable accommodations.

In order to provide equal employment and advancement opportunities for all individuals, employment decisions at TECO Energy will be based on skills, knowledge, qualifications and abilities.

Pay Transparency Non-Discrimination Statement
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)

ADA policy
It is the policy of TECO Energy to provide reasonable accommodation for all qualified disabled individuals who are employees and applicants for employment, unless it would cause undue hardship. The corporation will adhere to applicable federal and state laws, regulations and guidelines, including, but not limited to the Americans with Disabilities Act (ADA) of 1990 and section 503 and 504 of the Rehabilitation Act of 1970s.

Application accommodations
Applicants may request reasonable accommodation in the application process five business days prior to the time accommodation is needed.

Pre-employment physical exams may be required for positions with bona fide job-related physical requirements regardless of disability.