GRC Information Security Systems Analyst (Minneapolis, MN) (#4073)

Join Dorsey's Information Security team as a GRC Information Security Systems Analyst to help safeguard our firm and clients by driving high-impact security initiatives across audits, risk, governance, and compliance. In this role, you'll lead and support client and pre-contract security assessments, organize and execute internal ISMS audits and management reviews, maintain current policies and controls aligned to ISO 27001 and other leading frameworks, and oversee authorization services and quarterly NetDocuments access reviews. You'll partner with stakeholders to deliver cybersecurity consulting projects, validate repeatable RBAC and entitlement processes, and ensure our DLP program meets client, ISO, and regulatory requirements to make a tangible difference in the resilience and trust our clients expect.

Key Responsibilities Include:

- Support GRC Manager with the maintenance of Information Security documentation, supporting changes in the organization, technology, or threat landscape.
- Provide Information Security Program reporting related to metrics and dashboards for various Dorsey committees as requested by GRC Manager.
- Create and oversee the distribution of Bimonthly Information Security communications released Firm wide.
- Collaborate with Firm and Information Services process owners and stakeholders, internal and external assessors and auditors to execute and review risk assessments, internal and external surveillance audits resulting in the recertification (e.g., ISO 27001, GDPR). Document audit findings, remediation action plans and audit report responses.
- Consult with Information Services teams, Dorsey Business Teams and advise on Compliance requirements, and Information Security Standards and Controls.
- Collaborate with Information Services team stakeholders to implement processes that automate and continuously monitor Compliance-related, Information Security Standard controls, and approved exceptions.
- Assist GRC and Information Security management with ISMS continuous operation, monitoring, and improvement of the Information Security Management System (ISMS) by organizing and executing annual internal audits and management reviews.
- Maintain Compliance-related documentation, including policies, procedures, Statement of Applicability, are current and reflect any changes in the organization, technology, or threat landscape.
- Complete Client-generated pre- and post-contract security controls and risk review assessment, audits, in support of Dorsey client requests.
- Review and provide security input into Client RFP Responses. Support Marketing and Business Development teams with RFP response requests as they pertain to Information Security information.
- Perform Dorsey-requested pre-contract security controls and risk review of technology, software, and services.
- Maintain Dorsey SIG Questionnaire and ndMax AI chatbot, collaborating with key Information Services stakeholders for its currency.
- Assist GRC Manager with project-based risk assessments, interviewing, collecting data, and documenting risk. May be asked to present risk assessment results to Head of Cybersecurity and CIO for discussion and drive decision-making. Document risk decision in risk register if necessary.
- Maintain Firm Technology Risk Register, provide reporting and coordinate meetings with Information Services Leadership to discuss open risk items and remediation actions.
- Support GRC Manager in the creation of an annual Firm-wide Annual Security Awareness Training Program, Human Risk Initiative, with Phish Simulation Testing.
- Support the delivery of a focused 8-week training program for currently hired business professionals, New Hired business professionals training.
- Support the delivery of multi-month, Firm-wide Phish Simulation Testing.
- Prepare Human Risk reporting and update Human Risk Calculations and additional training assigned by GRC Manager.
- Execute the project-based enhancement of RBAC, Rights, Permissions, Groups, and Entitlement Definition and Clean-Up for Privileged Accounts (PIM), Service Accounts, and User Accounts, this position will support the ongoing Identity & Authorization Services Compliance Oversight process.
- Execute post-project oversight process will validate the defined, repeatable process being followed to ensure all user, privileged users, and service accounts maintain security to reduce risk of unauthorized access.
- Execute oversight process to ensure assurance is validated, repeatable processes are being followed to ensure all human and nonhuman accounts maintain security that reduce risk of unauthorized access and shrink attack surfaces.
- Perform the quarterly NetDocuments access review as assigned.
- Support the DLP Program Execution and Oversight to ensure the DLP controls meet Client, ISO, Information Governance, and Regulatory requirements.
- May perform other duties not listed above.

What we're looking for:

- Bachelor's Degree or equivalent in Business, Computer Science or equivalent experience.
- At least 3-5 years (preferred 5-7 years) of demonstrated experience across three of the following:
- Implementing or maintaining an Information Security Management System (ISMS) aligned to one or more of the following compliance frameworks:
- ISO 27001:2013, ISO 27001:2022, SOC2, GDPR, NIST Cybersecurity Framework (CSF), or NIST 800-53.

- Implementing or maintaining information security policies, standards, controls, guidelines, and procedures in one or more of the following compliance frameworks:
- ISO 27001:2013, ISO 27001:2022, SOC2, GDPR, NIST Cybersecurity Framework (CSF), or NIST 800-53.
- Client-request assessment, audit experience and IT/Security technology, software security risk assessment reviews.
- Similar technology/information security focused experience with minimum of 3 years' experience with at least two of the following:
- Compliance function.
- Information security risk and risk frameworks.
- IT/security governance, and (4) audit.
- Security awareness training programs.
- At least 3-5 years (preferred 5-7 years) of experience with:
- Successful planning, preparing, and delivery of audit (re)certification, authorization of in-scope technology asset compliance environments and boundaries.
- Performing client security risk assessments, RFP Cybersecurity responses, driving Third-Party Vendor Technology and Service Security Risk Assessments and ongoing Monitoring.
- Hands-on experience defining, implementing, and maintaining annual information security training program.
- At least 2-3 years of handson experience driving IAM enhancements using automation and tooling across hybrid AD/Entra environments, including group and role analysis, AD permission cleanup, RBAC design and implementation, leastprivilege enforcement, privileged access reduction, and integration of IAM with HR and IT lifecycle workflows.
- At least 2-3 years of handson experience executing Data Loss Prevention (DLP) enhancement initiatives, including defining data in scope, implementing data classification and tagging, developing and deploying DLP policies and alerting requirements, performing initial analysis of data flows and risks, and partnering with SOC, IT, and business teams to ensure ongoing compliance and control effectiveness.
- Excellent written and verbal communication skills; demonstrated experience, communicating and collaborating effectively across business and technology areas.
- Ability to work independently, excellent organizational and management skills.
- Ability to manage and prioritize multiple tasks and adapt to needed changes.
- Knowledge of on-premises and MSFT Azure, M365 Tenant-based technologies and cloud infrastructure platforms (e.g., Microsoft Azure, Microsoft 365, Microsoft AD & Entra, Microsoft Purview, OneDrive, TEAMS, Sentinel, Microsoft Defender, Exchange Online, Exchange On-Prem, Zoom, Jabber, Document Management Systems, SSO, OAuth) and SaaS-based application frameworks to evaluate key information security requirements, controls, risk areas.

Preferred:

- At least one certification such as CISSP, CISM, and/or CISA.
- At least 5-7 years' Governance, Risk, and Compliance experiences, listed above.
- Prior Legal or Professional Services experience.
- Informed on information security industry standards and best practices.

About Dorsey:

Dorsey & Whitney is a global law firm with over 650 lawyers across 22 offices in the United States, Canada, Europe and Asia. We provide strategic legal counsel to companies worldwide across a diverse range of industries, including banking & financial institutions; development & infrastructure; energy & natural resources; food, beverage & agribusiness; healthcare & life sciences; and technology.

Dorsey offers opportunities for advancement within a collaborative and dynamic environment, with competitive pay and excellent benefits. Our benefits are available to business professionals working 17+ hours/week along with their dependents, including spouses and domestic partners regardless of gender. Dorsey's benefit package includes: comprehensive medical insurance with coverage for infertility, gender-affirming care, behavioral health, and access to virtual providers; dental insurance; vision insurance; 401(k) retirement savings plan with Firm contribution; basic and optional life insurance; short and long-term disability; paid time off; up to 8 weeks of paid parental leave with up to an additional 6-8 weeks of paid short-term disability for business professionals who give birth; paid holidays; paid volunteer day; discretionary bonuses (if bonus eligible); adoption assistance; healthcare, dependent care, and transportation pre-tax reimbursement accounts; back-up child and elder care program; education and college advising program; virtual tutoring; wellbeing programs and activities; mass transit program (certain offices); travel assistance program; 24/7 employee assistance program with access to five confidential visits with a licensed counselor at no cost. (Some benefits are subject to eligibility criteria.)

One of our greatest strengths is a friendly, cooperative culture that values and appreciates each individual. Dorsey has received external recognition for our welcoming workplace, including:

- Mansfield Certification Plus (Diversity Lab)
- Best Law Firms for Women (National Association of Female Executives and Flex-Time Lawyers)
- 100% rating on the Corporate Equality Index (Human Rights Campaign)
- Gold Standard Certification (Women in Law Empowerment Forum)
- Top 100 Adoption-Friendly Workplace (Dave Thomas Foundation for Adoption)

Reasonable Accommodations:

Dorsey is committed to providing disability and religious-based reasonable accommodations, as well as menopause, pregnancy or lactation-related reasonable accommodations. If you require a reasonable accommodation during the application and hiring process, or if you have questions about a workplace reasonable accommodation, please contact us at 612-492-5178.

How to Apply:

Dorsey & Whitney LLP accepts online applications. Please go to the "Careers" section of the Dorsey website at www.dorsey.com/staffjobs and complete Dorsey's online application form. We are unable to accept application materials by mail or email.

Dorsey & Whitney LLP is an EEO/AAP/Disabled Vets Employer. All qualified applicants will receive consideration for employment without regard to race, color, creed, religion, ancestry, sex, national origin, sexual orientation, gender identity, affectional preference, disability, age, marital status, familial status, status with regard to public assistance, military or veteran status, or any other legally-protected status.

Dorsey & Whitney LLP participates in E-Verify.

The pay range for this position in Minnesota only is an annual salary of $96,560 to $124,960.

This range represents Dorsey's good faith estimate of likely compensation at the time of posting. Actual pay will be dependent upon a number of factors, including the candidate's experience, qualifications, skills and location and may fall outside of the range indicated.

Dorsey estimates it will accept applications through May 13, 2026.

Please note that Dorsey is not currently accepting search firm submissions in connection with this opening.

#LI-TC1
#LI-Hybrid

Office Location:
Minneapolis, MN