GRC Information Security Systems Analyst (Minneapolis, MN) (#4073)
Dorsey & Whitney LLP, Minneapolis, MN, United States
Join Dorsey’s Information Security team as a
GRC Information Security Systems Analyst
to help safeguard our firm and clients by driving high-impact security initiatives across audits, risk, governance, and compliance. In this role, you’ll lead and support client and pre-contract security assessments, organize and execute internal ISMS audits and management reviews, maintain current policies and controls aligned to ISO 27001 and other leading frameworks, and oversee authorization services and quarterly NetDocuments access reviews. You’ll partner with stakeholders to deliver cybersecurity consulting projects, validate repeatable RBAC and entitlement processes, and ensure our DLP program meets client, ISO, and regulatory requirements to make a tangible difference in the resilience and trust our clients expect.
Key Responsibilities
Support GRC Manager with the maintenance of Information Security documentation, supporting changes in the organization, technology, or threat landscape.
Provide Information Security Program reporting related to metrics and dashboards for various Dorsey committees as requested by GRC Manager.
Create and oversee the distribution of Bimonthly Information Security communications released Firm wide.
Collaborate with Firm and Information Services process owners and stakeholders, internal and external assessors and auditors to execute and review risk assessments, internal and external surveillance audits resulting in the recertification (e.g., ISO 27001, GDPR). Document audit findings, remediation action plans and audit report responses.
Consult with Information Services teams, Dorsey Business Teams and advise on Compliance requirements, and Information Security Standards and Controls.
Collaborate with Information Services team stakeholders to implement processes that automate and continuously monitor Compliance-related, Information Security Standard controls, and approved exceptions.
Assist GRC and Information Security management with ISMS continuous operation, monitoring, and improvement of the Information Security Management System (ISMS) by organizing and executing annual internal audits and management reviews.
Maintain Compliance-related documentation, including policies, procedures, Statement of Applicability, are current and reflect any changes in the organization, technology, or threat landscape.
Complete Client-generated pre- and post-contract security controls and risk review assessment, audits, in support of Dorsey client requests.
Review and provide security input into Client RFP Responses. Support Marketing and Business Development teams with RFP response requests as they pertain to Information Security information.
Perform Dorsey-requested pre-contract security controls and risk review of technology, software, and services.
Maintain Dorsey SIG Questionnaire and ndMax AI chatbot, collaborating with key Information Services stakeholders for its currency.
Assist GRC Manager with project-based risk assessments, interviewing, collecting data, and documenting risk. May be asked to present risk assessment results to Head of Cybersecurity and CIO for discussion and drive decision-making. Document risk decision in risk register if necessary.
Maintain Firm Technology Risk Register, provide reporting and coordinate meetings with Information Services Leadership to discuss open risk items and remediation actions.
Support GRC Manager in the creation of an annual Firm-wide Annual Security Awareness Training Program, Human Risk Initiative, with Phish Simulation Testing.
Support the delivery of a focused 8-week training program for currently hired business professionals, New Hired business professionals training.
Support the delivery of multi-month, Firm-wide Phish Simulation Testing.
Prepare Human Risk reporting and update Human Risk Calculations and additional training assigned by GRC Manager.
Execute the project-based enhancement of RBAC, Rights, Permissions, Groups, and Entitlement Definition and Clean‑Up for Privileged Accounts (PIM), Service Accounts, and User Accounts, this position will support the ongoing Identity & Authorization Services Compliance Oversight process.
Execute post-project oversight process will validate the defined, repeatable process being followed to ensure all user, privileged users, and service accounts maintain security to reduce risk of unauthorized access.
Execute oversight process to ensure assurance is validated, repeatable processes are being followed to ensure all human and nonhuman accounts maintain security that reduce risk of unauthorized access and shrink attack surfaces.
Perform the quarterly NetDocuments access review as assigned.
Support the DLP Program Execution and Oversight to ensure the DLP controls meet Client, ISO, Information Governance, and Regulatory requirements.
May perform other duties not listed above.
What We’re Looking For
Bachelor’s Degree or equivalent in Business, Computer Science or equivalent experience.
At least 3–5 years (preferred 5–7 years) of demonstrated experience across three of the following:
Implementing or maintaining an Information Security Management System (ISMS) aligned to one or more of the following compliance frameworks:
ISO 27001:2013, ISO 27001:2022, SOC2, GDPR, NIST Cybersecurity Framework (CSF), or NIST 800‑53.
Implementing or maintaining information security policies, standards, controls, guidelines, and procedures in one or more of the following compliance frameworks:
ISO 27001:2013, ISO 27001:2022, SOC2, GDPR, NIST Cybersecurity Framework (CSF), or NIST 800‑53.
Client‑request assessment, audit experience and IT/Security technology, software security risk assessment reviews.
Similar technology/information security focused experience with minimum of 3 years' experience with at least two of the following:
Compliance function.
Information security risk and risk frameworks.
IT/security governance, and (4) audit.
Security awareness training programs.
At least 3–5 years (preferred 5–7 years) of experience with:
Successful planning, preparing, and delivery of audit (re)certification, authorization of in-scope technology asset compliance environments and boundaries.
Performing client security risk assessments, RFP Cybersecurity responses, driving Third‑Party Vendor Technology and Service Security Risk Assessments and ongoing Monitoring.
Hands‑on experience defining, implementing, and maintaining annual information security training program.
At least 2–3 years of hands‑on experience driving IAM enhancements using automation and tooling across hybrid AD/Entra environments, including group and role analysis, AD permission cleanup, RBAC design and implementation, least‑privilege enforcement, privileged access reduction, and integration of IAM with HR and IT lifecycle workflows.
At least 2–3 years of hands‑on experience executing Data Loss Prevention (DLP) enhancement initiatives, including defining data in scope, implementing data classification and tagging, developing and deploying DLP policies and alerting requirements, performing initial analysis of data flows and risks, and partnering with SOC, IT, and business teams to ensure ongoing compliance and control effectiveness.
Excellent written and verbal communication skills; demonstrated experience, communicating and collaborating effectively across business and technology areas.
Ability to work independently, excellent organizational and management skills.
Ability to manage and prioritize multiple tasks and adapt to needed changes.
Knowledge of on‑premises and MSFT Azure, M365 Tenant‑based technologies and cloud infrastructure platforms (e.g., Microsoft Azure, Microsoft 365, Microsoft AD & Entra, Microsoft Purview, OneDrive, TEAMS, Sentinel, Microsoft Defender, Exchange Online, Exchange On‑Prem, Zoom, Jabber, Document Management Systems, SSO, OAuth) and SaaS‑based application frameworks to evaluate key information security requirements, controls, risk areas.
Preferred
At least one certification such as CISSP, CISM, and/or CISA.
At least 5–7 years' Governance, Risk, and Compliance experiences, listed above.
Prior Legal or Professional Services experience.
Informed on information security industry standards and best practices.
The pay range for this position in Minnesota only is an annual salary of $96,560 to $124,960.
Office Location: Minneapolis, MN
Dorsey & Whitney LLP is an EEO/AAP/Disabled Vets Employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, ancestry, sex, national origin, sexual orientation, gender identity, affectional preference, disability, age, marital status, familial status, status with regard to public assistance, military or veteran status, or any other legally-protected status.
Dorsey & Whitney LLP participates in E‑Verify.
Dorsey estimates it will accept applications through May 13, 2026.
#J-18808-Ljbffr
GRC Information Security Systems Analyst
to help safeguard our firm and clients by driving high-impact security initiatives across audits, risk, governance, and compliance. In this role, you’ll lead and support client and pre-contract security assessments, organize and execute internal ISMS audits and management reviews, maintain current policies and controls aligned to ISO 27001 and other leading frameworks, and oversee authorization services and quarterly NetDocuments access reviews. You’ll partner with stakeholders to deliver cybersecurity consulting projects, validate repeatable RBAC and entitlement processes, and ensure our DLP program meets client, ISO, and regulatory requirements to make a tangible difference in the resilience and trust our clients expect.
Key Responsibilities
Support GRC Manager with the maintenance of Information Security documentation, supporting changes in the organization, technology, or threat landscape.
Provide Information Security Program reporting related to metrics and dashboards for various Dorsey committees as requested by GRC Manager.
Create and oversee the distribution of Bimonthly Information Security communications released Firm wide.
Collaborate with Firm and Information Services process owners and stakeholders, internal and external assessors and auditors to execute and review risk assessments, internal and external surveillance audits resulting in the recertification (e.g., ISO 27001, GDPR). Document audit findings, remediation action plans and audit report responses.
Consult with Information Services teams, Dorsey Business Teams and advise on Compliance requirements, and Information Security Standards and Controls.
Collaborate with Information Services team stakeholders to implement processes that automate and continuously monitor Compliance-related, Information Security Standard controls, and approved exceptions.
Assist GRC and Information Security management with ISMS continuous operation, monitoring, and improvement of the Information Security Management System (ISMS) by organizing and executing annual internal audits and management reviews.
Maintain Compliance-related documentation, including policies, procedures, Statement of Applicability, are current and reflect any changes in the organization, technology, or threat landscape.
Complete Client-generated pre- and post-contract security controls and risk review assessment, audits, in support of Dorsey client requests.
Review and provide security input into Client RFP Responses. Support Marketing and Business Development teams with RFP response requests as they pertain to Information Security information.
Perform Dorsey-requested pre-contract security controls and risk review of technology, software, and services.
Maintain Dorsey SIG Questionnaire and ndMax AI chatbot, collaborating with key Information Services stakeholders for its currency.
Assist GRC Manager with project-based risk assessments, interviewing, collecting data, and documenting risk. May be asked to present risk assessment results to Head of Cybersecurity and CIO for discussion and drive decision-making. Document risk decision in risk register if necessary.
Maintain Firm Technology Risk Register, provide reporting and coordinate meetings with Information Services Leadership to discuss open risk items and remediation actions.
Support GRC Manager in the creation of an annual Firm-wide Annual Security Awareness Training Program, Human Risk Initiative, with Phish Simulation Testing.
Support the delivery of a focused 8-week training program for currently hired business professionals, New Hired business professionals training.
Support the delivery of multi-month, Firm-wide Phish Simulation Testing.
Prepare Human Risk reporting and update Human Risk Calculations and additional training assigned by GRC Manager.
Execute the project-based enhancement of RBAC, Rights, Permissions, Groups, and Entitlement Definition and Clean‑Up for Privileged Accounts (PIM), Service Accounts, and User Accounts, this position will support the ongoing Identity & Authorization Services Compliance Oversight process.
Execute post-project oversight process will validate the defined, repeatable process being followed to ensure all user, privileged users, and service accounts maintain security to reduce risk of unauthorized access.
Execute oversight process to ensure assurance is validated, repeatable processes are being followed to ensure all human and nonhuman accounts maintain security that reduce risk of unauthorized access and shrink attack surfaces.
Perform the quarterly NetDocuments access review as assigned.
Support the DLP Program Execution and Oversight to ensure the DLP controls meet Client, ISO, Information Governance, and Regulatory requirements.
May perform other duties not listed above.
What We’re Looking For
Bachelor’s Degree or equivalent in Business, Computer Science or equivalent experience.
At least 3–5 years (preferred 5–7 years) of demonstrated experience across three of the following:
Implementing or maintaining an Information Security Management System (ISMS) aligned to one or more of the following compliance frameworks:
ISO 27001:2013, ISO 27001:2022, SOC2, GDPR, NIST Cybersecurity Framework (CSF), or NIST 800‑53.
Implementing or maintaining information security policies, standards, controls, guidelines, and procedures in one or more of the following compliance frameworks:
ISO 27001:2013, ISO 27001:2022, SOC2, GDPR, NIST Cybersecurity Framework (CSF), or NIST 800‑53.
Client‑request assessment, audit experience and IT/Security technology, software security risk assessment reviews.
Similar technology/information security focused experience with minimum of 3 years' experience with at least two of the following:
Compliance function.
Information security risk and risk frameworks.
IT/security governance, and (4) audit.
Security awareness training programs.
At least 3–5 years (preferred 5–7 years) of experience with:
Successful planning, preparing, and delivery of audit (re)certification, authorization of in-scope technology asset compliance environments and boundaries.
Performing client security risk assessments, RFP Cybersecurity responses, driving Third‑Party Vendor Technology and Service Security Risk Assessments and ongoing Monitoring.
Hands‑on experience defining, implementing, and maintaining annual information security training program.
At least 2–3 years of hands‑on experience driving IAM enhancements using automation and tooling across hybrid AD/Entra environments, including group and role analysis, AD permission cleanup, RBAC design and implementation, least‑privilege enforcement, privileged access reduction, and integration of IAM with HR and IT lifecycle workflows.
At least 2–3 years of hands‑on experience executing Data Loss Prevention (DLP) enhancement initiatives, including defining data in scope, implementing data classification and tagging, developing and deploying DLP policies and alerting requirements, performing initial analysis of data flows and risks, and partnering with SOC, IT, and business teams to ensure ongoing compliance and control effectiveness.
Excellent written and verbal communication skills; demonstrated experience, communicating and collaborating effectively across business and technology areas.
Ability to work independently, excellent organizational and management skills.
Ability to manage and prioritize multiple tasks and adapt to needed changes.
Knowledge of on‑premises and MSFT Azure, M365 Tenant‑based technologies and cloud infrastructure platforms (e.g., Microsoft Azure, Microsoft 365, Microsoft AD & Entra, Microsoft Purview, OneDrive, TEAMS, Sentinel, Microsoft Defender, Exchange Online, Exchange On‑Prem, Zoom, Jabber, Document Management Systems, SSO, OAuth) and SaaS‑based application frameworks to evaluate key information security requirements, controls, risk areas.
Preferred
At least one certification such as CISSP, CISM, and/or CISA.
At least 5–7 years' Governance, Risk, and Compliance experiences, listed above.
Prior Legal or Professional Services experience.
Informed on information security industry standards and best practices.
The pay range for this position in Minnesota only is an annual salary of $96,560 to $124,960.
Office Location: Minneapolis, MN
Dorsey & Whitney LLP is an EEO/AAP/Disabled Vets Employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, ancestry, sex, national origin, sexual orientation, gender identity, affectional preference, disability, age, marital status, familial status, status with regard to public assistance, military or veteran status, or any other legally-protected status.
Dorsey & Whitney LLP participates in E‑Verify.
Dorsey estimates it will accept applications through May 13, 2026.
#J-18808-Ljbffr