Information Security Risk and Compliance Analyst II

Role overview

Meet CarGurus—the #1 visited online car shopping website in the US. At CarGurus, we’re building the world’s most trusted and transparent automotive marketplace where it’s easy to find great deals from top-rated dealers. 

Working on the Information Security Risk and Compliance team, the Information Security Risk Analyst II position is responsible for the identification, assessment, measurement, monitoring, and management of technology risk related to compliance requirements.

The role will focus on measuring the efficacy and efficiency of controls across IT and Security audits, rightsizing the design of controls for our environments, and implementing these controls. This person will work closely with different teams, internal and external auditors to fulfill control requirements by collecting evidence and demonstrating compliance. As part of the team, this person will be responsible for helping maintain, launch, and monitor our security awareness programs inclusive of phishing and other security training.

A well-qualified candidate will be comfortable taking direction from senior members of the Risk and Compliance team and be able to work autonomously when given an assignment or project. The candidate must have strong written and verbal communication skills, strong organization skills, and a good understanding of cyber security principles, concepts, and risk management.

What you'll do

• Maintain the framework controls in the GRC platform and ensure that appropriate documentation and evidence is uploaded
• Assist in conducting proof of concept(s) on new risk technology and assisting with implementation and onboarding of it
• Perform risk assessments and audits across all areas of the business including third party risk complying with regulatory controls, such as SOX, GDPR, CPRA, SOC 2 Type 1 and 2. etc.
• Document and develop risk mitigation plans and strategies for identified risks
• Develop and deliver security awareness training to the organization and assume responsibility that we are meeting compliance requirements
• Conduct third-party vendor, partner, and contractor security risk assessments
• Perform audits to test the design and operational effectiveness of IT General Controls
• Work closely with financial application owners to design, document, and implement controls
• Measure the efficacy and efficiency of controls and design improvements as necessary
• Right size the design of controls to fit our organizational environments
• Stay current with industry trends relating to cybersecurity, privacy, and risk

What you'll bring

• Bachelor’s Degree or equivalent combination of education and experience in Information Security, Computer Science, Management Information Systems, or related curriculum.
• 3 years of experience in risk management, information security, audit, regulatory compliance, and data privacy functions.
• Knowledge of frameworks/compliance regimes (e.g., CIS Controls, NIST, PCI, SOX compliance).
• Proven experience working with control owners, auditors, and supporting the implementation of risk-based controls in cloud-native environments. 
• Understanding of risk assessment methodologies, frameworks, procedures, and the ability to work flexibly with them to meet organizational size, maturity, and culture considerations.
• Ability to gauge risks posed to the company based on contextual factors and the organization’s risk tolerance.
• Knowledge of risk assessment tools, technologies, and methods.
• Ability to think strategically about security risks and tie those to tactical organizational activities and goals.
• Open to learning and working on new domains and technology.
• Ability to clearly articulate issues and communicate in an effective and personable manner.
• Ability to adjust quickly to the security needs of a highly agile organization.
• Experience building relationships cross-functionally and facilitating good partnerships is critical in the role.