Requisition Number: 2023-03-04307-0160-001
Job Title: Information Security Risk & Compliance Analyst
City: New York
State: NY
Shift: Monday-Friday; 9:30 AM - 5:30 PM
Hours: 35

Simpson Thacher & Bartlett LLP is one of the world’s leading international law firms. The Firm was established in 1884 and has more than 1,000 lawyers. Headquartered in New York with offices in Beijing, Brussels, Hong Kong, Houston, London, Los Angeles, Palo Alto, São Paulo, Tokyo and Washington, D.C., the Firm provides coordinated legal advice and transactional capability to clients around the globe. Cross-border finance, banking and bank regulation, mergers and acquisitions, securities issuance and regulation, project and asset based finance, real estate, asset management, joint ventures, taxation, litigation and dispute resolution are important aspects of the Firm’s practice.

Information Security Risk & Compliance Analyst

Apply Now

Description/Job Summary

The Information Security Risk & Compliance Analyst is responsible for oversite of the firm’s data security compliance and risk assessment programs used to provide information security, ensure privacy and facilitate data governance. Reporting to the Director of Information Security, this role serves as the firm’s compliance subject matter expert, performing risk assessments (internal and external)  monitoring systems for potential risks; and evaluating and recommending technologies.

This role will work with the IS team on identifying vulnerabilities, emerging threats and newly introduced risks to firm systems. This role requires a proactive approach in continual assessment of firm security systems, providing recommendations for enhancements and adapting to new threats and vulnerabilities.


  • Act as point person and subject matter expert on Information Security Risk Management principles, practices, rules and procedures
  • Assist team members in support of the Firm’s ISO 27001, ISO 27701 and ISO 22301 Information Security Management programs
  • Monitor and maintain the firm’s policies and procedures, recommend changes / enhancements, ensuring compliance
  • Conduct security audits (3rd party vendors) to ensure that security protocols are being followed and identify areas where improvements can be made
  • Coordinate third party technical risk assessments and related audit activities
  • Perform internal technical risk assessments and project reviews
  • Produce and maintain information security documentation, including but not limited to policies, procedures, standards, guidelines and diagrams
  • Review and respond to client audit / assessment requests in a timely manner
  • Drive continuous improvement through trend analysis reporting and metrics management
  • Monitor legal and regulatory changes and developments; advise Director and develop appropriate strategies, corrective actions, communications
  • Provide guidance to IT group members and firm personnel on related policies, firm procedures, regulatory rules and compliance
  • Coordinate activities within the firm’s vulnerability management program
  • Proactively assesses potential risks and opportunities for improvement
  • Understand the role of systems and technology within the firm and promote a culture of information security risk & compliance across all business units
  • Co-manage the employee annual recertification for various firm policies
  • Perform other duties as assigned

Required Skills

  • 5+ years of experience in information security related responsibilities
  • Experience with ISO 270002 control framework, SIG-Lite Risk Assessments
  • Proficient knowledge of security implications involving a variety of technologies including but not limited to; Microsoft, Cisco, Unix/Linux, and other market leaders in technology solutions, including mobile devices.
  • Demonstrated knowledge of the global data security regulatory environment
  • Strong knowledge of technology risk management concepts and their application
  • Must be able to work collaboratively in a team environment and independently
  • Ability to handle sensitive and/or confidential material with discretion
  • Excellent interpersonal skills and a professional demeanor; ability to work effectively with all levels of Firm personnel and vendors
  • Excellent written and verbal communication skills, ability to communicate clearly and concisely
  • Strategic thinker with strong analytical and problem-solving skills
  • Demonstrated project management skills, organizational and execution skills with strong attention to detail
  • Ability to manage multiple concurrent objectives or activities, and effectively make judgments in prioritizing and time allocation
  • Must be flexible in order to respond quickly and positively to shifting demands

Preferred Skills

  • Industry certifications (for example CISSP, CISM, CISA or CGEIT)
  • 5+ year experience in information security risk management or governance role
  • 5+ year experience in information technology; ie. networking, desktop engineering, programming or systems administration
  • Strong knowledge of risk management frameworks including; ISO 27002, NIST and COBIT 5
  • Experience in a law firm environment a plus

Required Education

  • Bachelor’s degree, IT related discipline

Preferred Education

  • Professional certifications, such as CISSP, CISA, or CISM


Salary Information

The estimated base salary range for this position is $130k to $150k at the time of posting. The actual salary offered will depend on a variety of factors, including without limitation, the qualifications of the individual applicant for the position, years of relevant experience, level of education attained, certifications or other professional licenses held, and if applicable, the location in which the applicant lives and/or from which they will be performing the job. This role is exempt meaning it is not overtime pay eligible.

Apply Now

Simpson Thacher & Bartlett is committed to a collegial work environment in which all individuals are treated with respect and dignity. The Firm prohibits discrimination or harassment based upon race, color, religion, gender, age, national origin, citizenship status, disability, marital or partnership status, sexual orientation, protected veteran’s status or any other legally protected status. “Gender” includes actual or perceived sex, a person’s gender identity, self-image, appearance, behavior or expression, whether or not that gender identity, self-image, appearance, behavior or expression is different from that traditionally associated with the legal sex assigned to that person at birth. This Policy pertains to every aspect of an individual’s relationship with the Firm, including but not limited to recruitment, hiring, compensation, benefits, training and development, promotion, transfer, discipline, termination, and all other privileges, terms and conditions of employment.