Title: Compliance & Risk Analyst, Progression    
Company: Tampa Electric Company
Location: Ybor Data Center    
State and City: Florida    -  Ybor City
Shift: 8 Hr. X 5 Days  

Hiring Manager: Bob E Maxey Jr   

Recruiter: Mark E Koener    

TITLE:     Compliance & Risk Analyst/Advisor, Progression
PERFORMANCE COACH:     Lead Compliance & Risk Assurance / Manager
COMPANY:    Tampa Electric Company
DEPARTMENT:     Technology     

POSITION CONCEPT
The Compliance & Risk Analyst/Advisor progression carries out procedures to ensure all information systems products and services meet Technology organization standards and compliance obligations, including regulatory requirements, contractual requirements, and Emera requirements. Analysts are primarily responsible for the maintenance, training, assurance, monitoring and reporting of all IT standards and procedures, as well as Technology-related regulatory requirements for the Technology Department and individual business units as applicable.

Advancement to a higher level is based on value added to the Company through increased duties, responsibilities, and accomplishments. Advancement is not automatic, i.e. based solely on time in the job, but will be based on the employee’s performance, qualifications, and the technical needs of the department.

PRIMARY DUTIES AND RESPONSIBILITIES 
1.    Assurance and Information Management: Ensures that quality methods and procedures are executed by the IT department to stay in compliance with regulatory requirements, e.g., NERC Critical Infrastructure Protection (CIP), Sarbanes-Oxley (SOX), contractual requirements (e.g., Payment Card Industry (PCI) Data Security Standards (DSS), Defense Federal Acquisition Regulation System (DFARS) requirements, internal requirements, e.g., Emera, voluntary requirements, e.g. America Gas Association commitment to Department of Homeland Security (DHS) Transportation Safety Administration (TSA) Pipeline Security Guidelines, and customer requirements. Manages compliance related information and documentation consistent with retention requirements. Support collection, review and approval of compliance-related data. Facilitates and tracks deliverables for root cause analysis, compliance reporting, technical feasibility exceptions, and NERC Alerts. [25%]

2.    Controls & Monitoring: Administers the IT Compliance Management Systems and Governance, Risk, and Compliance (GRC) tool(s). Collect and sample evidence to support demonstration of compliance. Escalates out of compliance items to senior management. Participate in the implementation of technology-based tools (e.g., GRC) to support IT risk initiatives. Additionally, analyst adheres to company confidentiality and security requirements. [20%]

3.    Reporting: Documents all quality problems and compliance issues, and assists in their resolution. Performs quality audits across various IT&T functions to ensure quality standards, procedures, and methodologies are followed. Monitors and reports on exceptions, risks and exposures to Technology senior management. [20%]

4.    Policies, standards, and processes: Analyzes best-in-class processes including IT Information Library (ITIL), National Institute of Standards and Technology (NIST) standards, and COBIT, and keeps current on all regulatory and compliance issues relating to Information Technology. Maintains all Technology standards, procedures and policies. Maintains internal desk-level procedures. [15%]

5.    Training and Communications: Develops and delivers quality process training to technical staff and acts as an internal quality consultant to facilitate business or technical partners on the use of the Technology Standards and Procedures. [10%]

6.    Performance Management: Establishes, and administers, activities of performance analysis (e.g., metrics) within assigned areas of responsibility. [10%]

Focus Areas: Networking and Server/PC Configuration.

SUPERVISION
Direct:      No direct reports. 

Compliance & Risk Analyst I

POSITION CONCEPT
Under general supervision, carries out procedures to ensure all information systems products and services meet Technology organization standards and compliance obligations, including regulatory requirements, contractual requirements, and Emera requirements. Analysts are primarily responsible for the maintenance, training, assurance, monitoring and reporting of all IT standards and procedures, as well as Technology-related regulatory requirements for the Technology Department and individual business units as applicable.

PRIMARY DUTIES AND RESPONSIBILITIES (Each item should account for ≥10%).    
1.    Policies, standards, and processes: Analyzes best-in-class processes including IT Information Library (ITIL), National Institute of Standards and Technology (NIST) standards, and COBIT, and keeps current on all regulatory and compliance issues relating to Information Technology. Maintains all Technology standards, procedures and policies. Maintains internal desk-level procedures. [15%]
2.    Assurance and Information Management: Ensures that quality methods and procedures are executed by the IT department to stay in compliance with regulatory requirements, e.g., NERC Critical Infrastructure Protection (CIP), Sarbanes-Oxley (SOx), contractual requirements (e.g., Payment Card Industry (PCI) Data Security Standards (DSS), Defense Federal Acquisition Regulation System (DFARS) requirements, internal requirements, e.g., Emera, voluntary requirements, e.g. America Gas Association commitment to Department of Homeland Security (DHS) Transportation Safety Administration (TSA) Pipeline Security Guidelines, and customer requirements. Manages compliance related information and documentation consistent with retention requirements. Support collection, review and approval of compliance-related data. Facilitates and tracks deliverables for root cause analysis, compliance reporting, technical feasibility exceptions, and NERC Alerts. [25%]
3.    Controls & Monitoring: Administers the IT Compliance Management Systems and Governance, Risk, and Compliance (GRC) tool(s). Collect and sample evidence to support demonstration of compliance. Escalates out of compliance items to senior management. Participate in the implementation of technology-based tools (e.g., GRC) to support IT risk initiatives. Additionally, analyst adheres to company confidentiality and security requirements. [20%]
4.    Reporting: Documents all quality problems and compliance issues, and assists in their resolution. Performs quality audits across various IT&T functions to ensure quality standards, procedures, and methodologies are followed. Monitors and reports on exceptions, risks and exposures to Technology senior management. [20%]
5.    Training and Communications: Develops and delivers quality process training to technical staff and acts as an internal quality consultant to facilitate business or technical partners on the use of the Technology Standards and Procedures. [10%]
6.    Performance Management: Establishes, and administers, activities of performance analysis (e.g., metrics) within assigned areas of responsibility. [10%]

SUPERVISION
Direct:      No direct reports. Works under general supervision.

QUALIFICATIONS

Education

Required:     Bachelor’s degree in Computer Science, Information Systems or a related field with a minimum of three (3) years of experience in information technology, audit, or utility business.
OR Associates Degree with a minimum of five (5) years of experience in information technology, audit or utility business
OR Valid high school diploma or GED with a minimum seven (7) years of experience in an information technology, audit, or utility business may be considered in lieu of a four-year degree.

Preferred:     Two (2) years of direct IT Audit or Controls experience strongly preferred. Four-year degree in Computer Science, Information Systems, or related information technology discipline strongly preferred.

Licensing/Certification

Required:     Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position.
Preferred:     Current ITIL Certification. Certified Information Systems Auditor (CISA) or related certifications.

Related Experience
Required:     3 years of experience in an information technology, audit, or utility business environment. 

Preferred:     2 years of IT experience, especially security, or network technologies, IT audit.

Knowledge/Skills/Abilities

Required:     Excellent writing skills for creating Technology-related compliance documents. An extensive knowledge and understanding of IT regulatory standards and control frameworks. Ability to apply regulatory requirements within all aspects of the IT Department. Demonstrates the ability to work with all levels of team members throughout the company. 

Preferred:    Proficient in security tools (SIEM, EDR, TPAM) with a strong understanding of network protocols and security principles. Knowledge of Utility IT regulations. Knowledge of SharePoint document management and workflow.

PHYSICAL DEMANDS/REQUIREMENTS

Normal physical demands related to an office workplace environment. 
 

Compliance & Risk Analyst II

POSITION CONCEPT
The Compliance and Risk Analyst II, under general supervision, carries out procedures to ensure all information systems and services meet IT organization standards and compliance obligations, including regulatory requirements, contractual requirements, and Emera requirements. Primarily responsible for audit readiness, compliance issue investigation and reporting, compliance information management, and controls/monitoring for multiple stakeholder sets. Advises on IT projects to ensure an audit-ready compliance posture. Acts as subject matter expert for certain compliance obligations.

Primary DUTIES AND RESPONSIBILITIES
Iin addition to those of Compliance & Risk Analyst I)
1.    Responsible for one or more IT compliance programs (e.g., NERC CIP, PCI DSS, SOX, DFARS, Emera Cyber Security, DHS TSA Pipeline Security). This includes facilitation of and tracking of deliverables for root cause analysis, violation reporting, technical feasibility exceptions, mitigation plan development, evidence reviews, external audit preparations, and NERC Alerts responses. Support the development of flow diagrams or other illustrations showing key steps associated with a given process or sub-process affected by applicable regulations and/or contract terms. Coordinates and facilitates technical feasibility-exception audits, mitigation plan completion audits, and other audit spot checks with external auditors. [30%]
2.    Policies & Procedures: Liaise with IT&T areas such as IT Security, IT Project Management Office, IT Infrastructure, Telecom, Access Administration, and affected corporate areas and business units to facilitate the evaluation, design and implementation of effective methodologies, procedures and controls to comply with new and existing regulatory requirements.  [25%]
3.    Responsible for one or more other areas within department, as assigned. [25%]:
a.    Provides updates to Business Strategy related to cybersecurity and impact of new legislation/regulatory requirements on Tampa Electric business operations. 
b.    Risk Management: Work with technology teams and business stakeholders in the design, implementation, and optimization of IT risk assessment practices. 
c.    Policies & Procedures: 
i.    Act as ruleset liaison for assigned areas of compliance. 
ii.    Act as ruleset Subject Matter Expert (SME) for 
1.    Information Protection Program and assigned CIP compliance related to BES Cyber System Information. 
2.    NERC CIP Awareness Program.
3.    NERC CIP Training Program.
4.    NERC CIP Security Management Controls.
d.    Training & Communication:
i.    Ensure mandatory training is conducted, tracked, and recorded.
ii.    Develop and facilitate compliance training for subject matter experts.
iii.    Develops and/or provides input into IT Security awareness program. 
e.    Performance Management: Develops and coordinates the assessment of cybersecurity awareness via phishing campaigns utilizing tools.
4.    Controls & Monitoring: Provide independent assessment and assurance of the effectiveness and efficiency of the IT control environment. Administers and monitors the execution of Tampa Electric compliance program by sampling compliance deliverables for acceptable content and assessing risk. Utilize security tools to further sample content. Participate in the implementation of technology-based tools (e.g., GRC) to support IT compliance and risk initiatives. [20%]
a.    

 SUPERVISION
Direct:      No direct reports. 

Indirect:      N/A.

QUALIFICATIONS

Education

Required:     Bachelor’s degree in Computer Science, Information Systems or related field. Experience may be considered in lieu of formal education. 

Licensing/Certification

Required:     Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position.

Preferred:     Current ITIL Certification. Audit (Certified Information Systems Auditor [CISA] or security-related (Certified Information Systems Security Professional [CISSP], Certified in Risk and Information Systems Control [CRISC], Certified Information Security Manager [CISM]) certification.

Related Experience

Required:     5  years of experience in information technology, audit or utility business environment is required, with at least two years in IT security, audit or other controls-based role.

Preferred:     IT security, IT audit or other controls experience.    

Knowledge/Skills/Abilities

Required:    Maintains a working level knowledge of applicable regulatory requirements. Ability to organize, document and facilitate meetings. Good project management skills. Must be able to complete highly complex duties involving a wide variety of situations requiring considerable analytical skills, judgment and interpersonal relationships. Ability to lead groups to consensus in a timely manner. High tolerance for stress. 

Preferred:    Proficient in security tools (SIEM, EDR, TPAM) with a strong understanding of network protocols and security principles. Knowledge of SharePoint document management and workflow.

 
Lead Compliance & Risk Analyst

POSITION CONCEPT
The Lead Compliance & Risk Analyst will manage a team of compliance and risk analysts. Ensure all relevant compliance obligations are met. Leads and/or monitors compliance programs for specific rulesets as needed. Ensure road maps and workplans are kept up to date. Ensures audit readiness, compliance issue investigation, reporting and correction, compliance information management, integration with business, and controls/monitoring, for multiple stakeholder sets. Advises on IT projects to ensure an audit-ready compliance posture. 

DUTIES AND RESPONSIBILITIES (in addition to those of Compliance Analyst II)
1.    Maintains Compliance and Risk Roadmap and associated workplan(s) to ensure Tampa Electric affiliates are compliant with IT regulatory, contractual, and Emera existing and new standards. Assists with the IT QA and Compliance team strategy, goals development, and team communication. Provide forecast and budget. [15%]
2.    Utilizes expertise and leadership skills to manage the work of self and team members to resolve issues to ensure day-to-day activities and project goals are met. Establishes, assigns and reviews day-to-day activities and long-term projects, establishes goals and objectives, trains new employees and evaluates work performance. [20%]
3.    Governance and Policies & Procedures: Lead and/or monitor the implementation and administration of relevant compliance programs. Leads and coordinates new regulatory requirements and other compliance obligations into the Tampa Electric affiliate compliance management systems. Ensure integration of IT compliance obligations into IT, corporate and business policies, standards, procedures, and processes, including flow diagrams and automated reporting. [20%]
4.    Risk Management: Liaise with IT Project Management Office and management to reduce risk by ensuring that relevant IT projects are allocated a compliance resource and that projects/tasks are completed within committed time and budget. [15%]
5.    Training and Communications: Provides training, guidance and oversees work of staff/contractors to ensure quality results. Ensure mandatory training is reported to Ethics and Compliance. [10%]
6.    Controls & Monitoring:  Oversee independent assessment and assurance of the effectiveness and efficiency of the IT control environment. Administers and monitors the execution of TEC compliance program by sampling compliance deliverables for acceptable content and assessing risk. Utilize security tools to further sample content. Support internal and external audits, review applicable findings and recommendations, and implement/oversee necessary corrective and/or preventive actions. [10%]
7.    Reporting & Performance Management:  Ensure compliance issues are investigated and reported to appropriate authority. Monitors activities of performance analysis (e.g., metrics). Report on status of applicable compliance programs. [10%]

SUPERVISION 

Direct:      Supervises the day-to-day activities of IT QA and Compliance team members. Provides direct input to the Technology Quality Assurance and Compliance Director on performance-related issues. As needed, supervise and mentor BCE Student, Co-op, and/or Intern. 

Indirect:      Indirect supervision of contract project manager. As needed, supervise third-party consultants (e.g., Sunera, DigitalBrainz, Archer Energy Solutions, Corporate Risk Solutions Inc.).

QUALIFICATIONS

Education

Required:    Bachelors degree in  computer science, information systems, or other related information technology field. 

Preferred:    Master’s degree in business administration, computer science, information systems, or other related information technology field. 

Licensing/Certification

Required:    Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position. Audit (Certified Information Systems Auditor [CISA] or security-related (e.g., Certified Information Systems Security Professional [CISSP], Certified Information Security Manager [CISM]) certification.
 
Preferred:    Current ITIL Certification. Certified in Risk and Information Systems Control (CRISC).

Experience

Required:     7 years of experience in information technology, audit or utility business environment, with at least three years in an IT audit or controls-based role. 

Preferred:      5 years of IT security, audit or other controls experience.

Knowledge/Skills/Abilities

Required:    Maintains an expert level knowledge of IT governance frameworks and regulatory, contractual, and internal compliance standards including NERC CIP, SOX
, DFARS, DHS, COBIT, NIST Cyber Security Framework. Provide direction and feedback to team members. Ability to lead groups to consensus. Ability to oversee IT projects as they are related to compliance. Must be able to complete highly complex duties involving a wide variety of situations requiring considerable analytical skills, judgment and interpersonal organizational relationships. Broad technical knowledge (e.g., infrastructure, security, change management, SDLC). Ability to train large groups on IT regulatory requirements. High tolerance for stress and managing competing priorities.

Preferred:    Negotiation skills.

Compliance & Risk Advisor

POSITION CONCEPT
The Compliance & Risk Advisor will facilitate integration and implementation of relevant new compliance obligations and changes; monitors change and participates, from an industry perspective. Leads and/or monitors compliance programs for specific rulesets as needed. Participates in development of road maps and workplans. Facilitates with stakeholders, especially technical SMEs – requiring a deep understanding of both the requirements and willingness to review/understand the current environment. Ensures audit readiness, compliance issue investigation, reporting, and correction, compliance information management, integration with business, and controls/monitoring, for multiple stakeholder sets. Advises on IT projects to ensure an audit-ready compliance posture. 

DUTIES AND RESPONSIBILITIES (in addition to those of Compliance & Risk Analyst II)
1.    Governance:  Lead or participate in the implementation and administration of relevant compliance programs. Leads and incorporate new regulatory requirements and other compliance obligations into the Tampa Electric compliance management systems. [20%]
2.    Risk Management:  Monitor external compliance obligations; research, analyze and communicate potential impact to Tampa Electric affiliates. Work directly with business units, corporate areas and management in the development of industry comments and voting recommendations for relevant compliance obligations as needed (e.g., NERC CIP standards) and participate in development of standards by attending virtual committee meetings to inform the design and implementation of new regulatory requirements.  Provide input to IT Compliance and Risk Roadmap and associated workplan to ensure the TAMPA ELECTRIC affiliates are compliant with IT, regulatory, contractual, Emera existing and new standards. [20%]
3.    Policies and Procedures:  Ensure integration of IT compliance obligations into IT, corporate and business policies, standards, procedures, and processes, including flow diagrams. Rapidly research, develop and maintain deep understanding of compliance obligations as well as our current IT&T, corporate, and business environments and serve as consultant/liaison with affected IT&T, corporate areas and business units to advise on potential impact and facilitate the evaluation, design and implementation of effective methodologies, procedures and controls to comply with new and existing regulatory requirements and other compliance obligations. Collaborate with project manager(s) to identify relevant project tasks and associated pre-requisites/dependencies, timing, and associated automation to ensure departmental procedures are developed, implemented, and integrated. [20%]
4.    Training and Communications: Provides training, guidance, industry insight and business liaison for staff/contractors to ensure quality results. Coordinates with Information Security to communicate results across areas of the business. Recommend external education and future training. [10%]
5.    Controls & Monitoring:  Identify and design methods of monitoring and sampling, including use of security tools. Able to meet project timeframes and communicate with all stakeholders to avoid problems. [10%]
6.    Reporting & Performance Management:  Advise on and/or execute compliance concern investigations, performance analysis (e.g., metrics), and report on status of applicable compliance programs. [10%]
7.    Information Management:  Investigates corporate readiness and designs plans for improving the cybersecurity baselines; work with cross-functional SMEs to design and implement methods to collect and/or automate compliance-related data. [10%]

SUPERVISION 

Direct:      No direct reports. Works under general supervision.

Indirect:      N/A.

QUALIFICATIONS

Education

Required:    Bachelors degree  computer science, information systems, or other related information technology field. 

Preferred:    Master’s degree in business administration, computer science, information systems, or other related information technology fields. 

Licensing/Certification

Required:    Expected to obtain Information Technology Infrastructure Library (ITIL) Certification within 6 months of employment in this position. Audit (Certified Information Systems Auditor [CISA] or security-related (e.g., Certified Information Systems Security Professional [CISSP], Certified Information Security Manager [CISM]) certification.

Preferred:    Current ITIL Certification. 

Experience

Required:     7 years of experience in information technology, audit, or utility business environment, with at least three years in IT security, audit or other controls-based role. 

Preferred:      5 years of experience in IT security, audit or controls experience.  3+ years NERC CIP compliance program experience.

Knowledge/Skills/Abilities

Required:    Maintains an expert level knowledge of IT governance frameworks and compliance standards including NERC CIP, SOx, PCI DSS, DFARS, COBIT, NIST Cyber Security Framework, DHS TSA Pipelines Security Guidelines. Broad technical knowledge (e.g., infrastructure, security, change management, SDLC); capability to zero in on essential information. Broad utility industry business understanding. Must be able to complete highly complex duties involving a wide variety of situations requiring considerable analytical skills, judgment and interpersonal organizational relationships. Ability to reconcile conflicting information and lead groups to consensus. Ability to advise on Technology projects as they are related to compliance. Project management capabilities. Ability to train large groups on IT regulatory requirements. High tolerance for stress and managing competing priorities.

Preferred:    Negotiation skills.

TECO offers a competitive Benefits package!!

Competitive Salary *401k Savings plan w/ company matching * Pension plan * Paid time off* Paid Holiday time * Medical, Prescription Drug, & Dental Coverage  *Tuition Assistance Program * Employee Assistance Program * Wellness Programs * On-site Fitness Centers * Bonus Plan and more!