Business Systems Analyst
Type of Job
About the job
Fitness Experts will support workstreams around research and development of training-related products and services. Expertise in the subject matter and attention to detail in the context of programming and planning are critical to this role.
At least one national-level personal training certification or degree in relevant field (personal training, exercise science),
preferably held 3+ years.
National certifications include:
NASM/National Academy of Sports Medicine
NSCA/National Strength and Conditioning Association
ISSA/International Sports Sciences Association
ACSM/American College of Sports Medicine
ACE/American Council on Exercise
Experience working remotely with training clients
Familiarity with standardized fitness measurements and testing
Business Systems Analyst III
About the Job:
• At least 5 years relevant experience required. Responsible for gathering, analyzing, and creating comprehensive work products documenting requirements, including validation and traceability, for existing and new applications supporting various business channels.
• This position understands how organizations function to accomplish their purpose, and defines capabilities an organization requires to provide a service or meet their goals.
• Facilitates communication between organizational units to align the needs of business units in order to create requirement work products for solution providers.
• Plans, directs and completes the analysis of business problems to be solved or product/services to be developed for delivery.
• Provides technical assistance in identifying, evaluating and developing systems and procedures that are cost effective and meet user requirements.
• Assesses system impacts, provides gap and process analysis as well as cost/benefit analysis for system or product/service related initiatives.
• Acts as liaison between the user community and internal IT resources. Plans, facilitates, and participates in working sessions with cross-functional resources.
Candidates must be local to Frisco, TX or Overland Park, Kansas due to team's location. Onsite some, however, remote candidates are approved as well. Based on role, about 90% of the time the NTW resource will be remote. Must meet vaccination requirements.
Citizenship - US Required
Possibility to convert to hire.
Working knowledge of AURORA, Service Now, Pier II, Visio,
Will be supporting day-to-day operational supplemental support for CMMC (CyberSecurity Maturity Model Certification), NYDFS (New York Department of Financial Services, CPNI (Customer Privacy Network Information, PII - (Personal Identifiable Information), PSR - Privacy Security Reviews, CCPA - California Customer Privacy Act), PCI - Payment Card Industry)
One of the key skills we have are:
• Ability to translate control language into wording that control owners and operators will understand and be able to provide evidence and methods and procedures to fulfill the requests.
• From a 2nd line of defense category, here are our key roles and responsibilities. Think of our time study and any special coding, script building or actual functions you are providing that are NOT Listed here. (Example -updating SOX flags in ITSM)
• Provides consultation on design and implementation of controls and alignment (Control Owners, Control Operators, 1st and 3rd line of defense, External Auditors, and Internal Control Supplemental Support teams like KPMG, Internal Audit, etc.)
• Monitors and manage controls for effectiveness and remediation/Control Rationalization (Quality Assurance, managing those timelines and resources)
• Liaison between various external auditors and internal operators - (FCG, KPMG, Internal Audit, etc.)
• Review evidence/performs risk assessments - Quality Assurance and actual test effectiveness
• Assists where proof of effective design and operation of controls are needed
• Reports to Leadership on status - metrics and tracking - escalations where needed
• Facilitates changes to the list of control owner/operators in tools - Updates to Aurora and PwC Connect, etc. so that narratives, requests, owner and operator updates, assignment of requests, are all current. Constant changes.
• Performing Detective Controls for Legacy Sprint NSA compliance reviewing daily reports and taking actions when we non vetted user accounts are discovered on USG and USG Limited flagged servers
• Perform 24 x 7 Operational Support for Qradar Retention logging environment (Legacy Sprint)
• Enter EPP Requests for IT and Operational Support personnel including KPMG resources to have access to or BOB reports, ITSM system as the official source of record to search and utilize as evidence for Audit Controls
• Enter Service Requests and assign to Control Operators for multiple Compliance Programs.
• Enter Tickets for user access removals for Non-Vetted Accounts and for remediation of Developers found on Production SOX servers
• Monitor daily Varonis file share report. Reach out to server owners (from MSL) to verify need for shared folder. Begin process of bringing folder into compliance working with the Varonis team.
• Monitor daily reports produced by James Tyes reporting for 6 different controls (4 reports for SOD, local admin approval, server access approvals, term check, dev check, CSG vetting). Take appropriate action on results for each report. Primarily removing users from groups, reaching out to ticket approvers, and verification of CSG vetting.
• Review evidence for PSR controls - This requires understanding of control language and the ability to match control language to evidence samples provided from various applications and operating systems.
• Agency should conduct screening interviews and skill assessments so hiring manager can be confident the candidates they are interviewing meet the job requirements and concentrate on evaluating the candidates' other traits, such as personality, work style, and communication and problem-solving skills.
• Here is a template for the day-to-day operational support he would utilize for supplemental support on a daily basis:
• The data gathering phase is low skill.
• The preparation phase requires someone analytical and good with problem solving.
• The attestation phase should be someone good with people that can answer risk-based questions but need not be skilled in compliance.
• The rest of the control requires the same type of person as the preparation.
• All in all, it would be most efficient to have a few people doing the analytical work of building preparations files and doing removals and attestations that are focused on details and getting the work done correctly. Then they can hand off the evidence gathering, attestation gathering, and removal fulfillment to less skilled people to track down the responses. Then it can get handed back to the more analytical people to close the control and QA.
• Currently we have one operator for every 10 controls quarterly. I believe this ratio would likely be improved with the steps above by about 20%.
• We have about 45-47 control operations performed quarterly. Which will likely grow to 60-65 in 2022.
• Updating and Reviewing control documentation each run.
• Collecting data from source systems and teams while ensuring completeness and accuracy.
• Preparing the data in Excel or similar system including termination checks, segregation of duties checks, and attester assignment.
• Publishing User Access Review to SharePoint and making sure all attesters certify the access in a timely fashion.
• Perform or request any removal of access and validate removes.
• Adhere to our Realtime Quality Check processes and checklists.
• Quality check other operators controls.
• Track the progress of all controls within our SharePoint Schedules and checklists
• Work together with owner, SME, and other resources to create remediation plans and control improvements where applicable.
• Evidence collection
• Retrieve evidence for event driven controls for about 40 different applications and systems. Including change auditor reports, CRM reports, Change management etc.
• Work with the application teams to help them adhere better to policy.
• Review the evidence and make sure it is accurate and complete and mitigate any potential risks and issues.
• Monitoring event driven evidence throughout the year to mitigate any risks as the occur.
• Reduce the need for monitoring by getting manual flows automated within our ticketing system.
• Conduct the SART UARs
• Conduct all existing steps and requirements.
• Improve interface.
• Make the process more efficient and eliminate unnecessary steps.
• Find better ways to tie out completeness and accuracy.