Security Risk Analyst

**Why Catalina?** Catalina delivers omni-channel solutions to our customers with a long-standing history of rich data assets, but our _greatest _asset is our people. Our guiding principles set the stage for winning in the markets we serve, and our potential is powerful. When you join the Catalina team, you will be part of an inclusive environment that embraces flexibility, community involvement, work-life balance as well as opportunities to grow professionally.

**Our Team**

The Security Risk Analyst plays a pivotal role in safeguarding our organization against the potential risks posed by third-party vendors and service providers. This individual ensures that all external partnerships adhere to strict regulatory standards and internal policies, prioritizing data privacy and security controls by conducting thorough evaluations and risk assessments. Collaborating closely with internal stakeholders, the analyst facilitates a comprehensive approach to third-party risk management, enhancing the integration of services with a keen focus on security and compliance. Additionally, leading and innovating the Security Awareness Program, the analyst champions a culture of security mindfulness across the organization, educating employees on best practices and mitigating the risks of social engineering attacks.

**Responsibilities**
- Evaluate third-party vendors and service providers to identify and mitigate potential organizational risks, ensuring compliance with regulatory requirements and internal policies.
- Work collaboratively with internal stakeholders, including the privacy team, procurement, and business owners, to manage third-party risks effectively, ensuring the secure integration of services and data management.
- Facilitate the completion and evaluation of third-party risk management forms by vendors, ensuring comprehensive risk analysis before proceeding with partnerships.
- Participate and improve the Security Awareness Program, including Phishing campaigns, to educate users on security best practices, contributing to a culture of heightened security awareness and reduced risk of social engineering attacks.
- Proactively conduct risk assessments to identify potential vulnerabilities and compliance gaps with third-party vendors, focusing on data privacy, security controls, and contractual obligations to safeguard organizational assets.
- Recommend and implement risk mitigation plans for identified vulnerabilities, ensuring that all third-party services align with the company's security standards and compliance requirements.
- Monitor and enforce third-party compliance with relevant regulatory standards and internal policies, reducing legal and operational risks.
- Keep accurate and up-to-date records of risk assessments, mitigation actions, and compliance activities to support audit processes and decision-making.
- Assist in SOC2 and other relevant audits by liaising with auditors and conducting thorough IT controls testing to ensure the design and operational effectiveness of security measures.
- Develop and lead the Security Awareness Program, conducting Phishing campaigns and other initiatives to educate and test the workforce, aiming to reduce susceptibility to cyber threats.
- Compile and analyze results from security initiatives, like Phishing campaigns, to identify trends, report on program effectiveness, and adjust strategies accordingly.
- Interact with vendors to conduct assessments and ensure the completion of necessary evaluations, emphasizing the importance of security from the onset of vendor relationships.
- Provide guidance to internal stakeholders regarding the importance of third-party risk management, educating them on the processes and requirements for adding new vendors or services.
- Continually seek opportunities to improve third-party risk management practices, security awareness programs, and compliance processes to adapt to changing threats and regulatory landscapes.
- Other assigned tasks to support the security program.

**Qualifications**
- Bachelor’s degree in Information Security, Cybersecurity, Computer Science, Information Systems, or a related field; or equivalent experience.
- Professional certifications such as Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), or equivalent certifications focused on risk management, audit, and compliance preferred.
- 3 to 5 years of experience in conducting risk assessments, managing third-party risks, and ensuring compliance with relevant standards and regulations.
- In-depth understanding of auditing standards, compliance requirements (e.g., SOC2, ISO 27001, NIST CSF, GDPR), and risk management frameworks.
- Expertise in evaluating and implementing risk mitigation strategies to address vulnerabilities associated with third-party vendors and service providers.
- Strong analytical, communication, and project management skills, essential for managing risk assessments, mitigation actions, and