Compliance Analyst

JOB LOCATION

City of Aurora, Colorado

It is an exciting time to work for the City of Aurora, we're growing and looking for dedicated and collaborative individuals to join our team of talented and valued employees. Excellent organizations have a set of principles, or core values, that are used to implement their mission and vision. Those values represent the touchstone for the organization, guiding the decisions of the individuals and the organization. At the City of Aurora, we demonstrate our excellence by modeling the CORE 4 Values of: Integrity, Respect, Professionalism, and Customer Service, and we welcome all who share these values to apply.
 
Why Work for Aurora?

• Make a difference in the lives of real people every day
• Diverse community
• Competitive total compensation package
• Well-Funded General Employees Retirement Plan
• Light rail station minutes away
• On-site fitness center and overall employee well-being programs Internal educational programs to assist with career advancement
• Access to innovation workspaces

PRIMARY DUTIES & RESPONSIBILITIES

PRIMARY DUTIES & RESPONSIBILITIES

• Risk & Compliance – You will share the lead position in the management and development of the enterprise information and technology compliance program, including managing the associated control catalog for your area of focus, control mapping, and research.  Develops position papers for the CISO on new and existing compliance requirements, performs business compliance analysis, documents noncompliance and associated treatment plans, and provides reporting/metrics as requested by the CISO. You will be the lead for the end-to-end health and maturity of the CJIS compliance program across the city’s 11 agencies.
• Audit Management – As the lead for the CJIS compliance program, you will be responsible for the performance of the biennial CBI certification audit response.  This includes reviewing and documenting CJIS-governed technologies and business processes for compliance, and creation of gap and treatment reports in collaboration with the impacted business line to meet CJIS requirements.  You will maintain the CBI training certificates for IT and work with the ISO Engagement team to develop training as needed. 
• Collaboration - Provides expertise and consultation to the Security Operations team and the IT Department during the evaluation and configuration of security controls, processes, and products to ensure they meet or exceed compliance requirements.  You will represent the ISO at various industry-related task forces and governing body meetings.
• Security Incident Response – Supports the Security Operations, IT, and business process owners during response to ensure noncompliance is identified and a treatment plan is developed.  Will advise the CISO on possible compliance violations and reporting requirements. Documents treatment plans and supports the CISO in the reporting and notification.
• Risk Assessments – Works with Security Operations and Business Engagement to identify risk to technology and data, perform assessments, document risk within the ISO risk portfolio, and develop treatment plan recommendations for the CISO.  Manages the maintenance of CJIS artifacts throughout the year, engaging IT and business staff to ensure responsive evidence is current and readily available for audit. Supports the CISO in the development of the annual audit and assessment plan. Tracks the resolution of findings through closure. 
• Change Management – You will have the opportunity to reshape the change and configuration management program for the city’s technical infrastructure.  This role will develop and enforce compliance with change management standards of practice and configuration baseline development and deviation. You will run the Change Advisory Board (CAB) meetings, ensuring requests for change are vetted before the CAB and compliant with ISO standards of practice (SOP), monitoring and alerting for non-compliant changes and program violations, and providing coaching and guidance to staff.
• Special Projects – As the Special Projects lead, you will work at the direction of the CISO to identify, document, and address control-specific IT and ISO risk gaps, oversee their treatment, and perform after-action reviews to reduce the likelihood of control slip.  This role’s special projects involvement may be as an implementer, architect, assessor, or simply providing coaching and mentoring to staff.
• Research – You will be expected to keep current on industry regulations applicable to the city’s CJIS governance program, as well as federal and state laws regarding personal and criminal information.
• Reporting – You will have the opportunity to develop metrics and reporting for program measurement and presentation to leadership as directed by the CISO.
• Policy – Provides input and expertise in the development of policy and standards of practice.
• Performs other related duties as assigned.

This job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee. Duties, responsibilities, and activities may change, or new ones may be assigned at any time with or without notice.

MINIMUM QUALIFICATIONS & WORKING CONDITIONS

MINIMUM QUALIFICATIONS

An equivalent combination of education, training, and experience that demonstrates required knowledge, skills, and abilities may be considered.

Education: 

·         Bachelor’s Degree or equivalent experience

Experience: 

• Five (5) years of experience performing security operations, compliance, risk, legal, or technical audit duties with any of the following: NIST SP800 Series, CJIS Security Policy, or comparable frameworks, standards, or laws. 

Preferred Qualifications:

• Security, privacy, or industry certification such as Certified Information Systems Security Professional (CISSP),  Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), Certified Risk and Information Systems Control (CRISC), Certified Information Privacy Management (CIPM), Certified Information Privacy Technologist (CIPT), or comparable is strongly preferred. 
• Experience with security control systems, such as SIEM, EDR, scanning tools, vulnerability tools, etc.
• Experience with metrics/reporting, audit management, or third-party risk management is preferred. 

• Experience with CJIS Security Policy, legal, and regulatory compliance practices

Knowledge:

• Applied experience that shows knowledge of cybersecurity controls, policies, and procedures
• Strong understanding of technical processes, tools, guidelines, and benchmarks

Skills: 

• A high level of attention to detail, communication, presentation, and customer service skills

Abilities: 

• Ability to prioritize
• Establish and maintain effective working relationships with IT and the business
• Handle sensitive situations with tact and diplomacy
• Communicate effectively both verbally and in writing
• Establish and fulfill goals and objectives

WORKING CONDITIONS

Essential Personnel:

·         When a local announcement of emergency or disaster is declared by the city, all City of Aurora employees may be required to work as essential personnel.

Physical Demands:

• Light to sedentary physical work requiring the ability to lift a maximum of 25 pounds
• Occasional lifting, carrying, walking, and standing
• Speech communication and hearing to maintain communication with employees and citizens
• Vision for data analysis, preparation of reports, and other written documents
• Hand/eye coordination for the operation of the computer keyboard

Work Environment:

• Works in a clean, comfortable environment
• Will generally work from home, occasionally coming into the office or city facility for physical meetings and on-premise projects
• Will have regular meetings with leadership, ISO / IT personnel, and the business, which can occasionally require in-person presence

Equipment Used:

·         Standard business and professional tools and equipment, including computers and peripheral equipment

The city of Aurora will implement furlough days (unpaid days off) for most employees in 2026. The scheduled furlough dates are January 16, April 10, July 2, and December 24.

For Veterans preference:  Please show all of your employment history, including military service and related documentation (DD214) on the application.
           
The City of Aurora is an equal opportunity employer.  We are required by state and federal agencies to keep certain statistical records on applicants.  It will not be used in any way to discriminate against you because of your sex, race, age, sexual orientation, creed, national origin, disability or military status, gender identity, unless related to a bona fide occupational qualification as defined by the Colorado Civil Rights Commission and the Equal Opportunity Commission.
                                         
Despite the changes in Colorado law, the City of Aurora maintains a drug-free workplace.  A positive test of marijuana is grounds for disqualification and ineligibility for employment with the city for one year or termination once hired.
 

Drug Testing, Thorough Criminal Background Check, and Employment References:
As a condition of employment, all applicants selected for employment with the City of Aurora must undergo a thorough criminal background check. 

Applicants selected for safety-sensitive positions are required to complete and pass a drug screening as a condition of employment. Safety sensitive positions include Civil Service positions within Police and Fire Departments and positions where their job responsibilities have direct and substantial responsibility that would impact the health and safety of others.  

Employment references will be conducted on finalists for City of Aurora vacancies.