Information Security Operations and Compliance Analyst

Stradley Ronon Stevens & Young, LLP is a national, full-service law firm founded in Philadelphia, Pennsylvania, with marquee practices in investment management, litigation, and business. We are committed to smart growth, innovative thinking, excellence, and integrity. With 225 attorneys and 180 business professionals, we proudly serve a diverse base of household-name clients, many of whom help shape the world of financial services and products, working together to produce achievements greater than the sum of our parts.

As a Security Compliance Analyst, you will support and continuously improve the Firm’s information security governance, risk, and compliance program. In this role, under the direction of the Director of Information Security and Chief Information Officer, you will act as the primary subject matter expert (SME) of key elements of Security Operations, including performing internal audit readiness, ISO/IEC 27001 alignment, and remediation tracking. You will maintain and enhance the Firm’s Information Security Management System (ISMS) and other adopted compliance frameworks, conduct enterprise risk assessments, and partner with threat, technical and business teams to identify control gaps and drive timely, sustainable remediation.

You will also lead the Firm’s Vendor Risk Management Program, operating a continuous third‑party risk assessment process to ensure vendors meet established security and compliance expectations. This role serves as a Security Compliance Subject Matter Expert supporting the Director of Information Security during client security reviews and audits, completing security questionnaires, coordinating evidence collection, and supporting follow‑up inquiries. Additional responsibilities include facilitating business continuity activities, and recommending control and process improvements based on lessons learned.

Security Compliance

Serve as a Security Compliance Subject Matter Expert (SME) during client security reviews and audits.

• Complete initial responses to client security questionnaires, coordinating with internal stakeholders as needed.

• Support follow‑up inquiries and provide evidence of control effectiveness.

Own, maintain, and improve the Firm’s Information Security Management System (ISMS) related to ISO 27001 and other compliance frameworks (e.g., ISO 42001, etc.).

• Maintain the Statement of Applicability (SoA), oversee control implementation, and prepare audit evidence as necessary.

• Facilitate the periodic review and continuous improvement of ISMS policies, standards, and procedures.

• Conduct annual enterprise risk assessments and oversee the development and execution of risk treatment plans.

• Design and execute an internal audit program to assess ISO 27001 readiness and remediation status.

• Ensure ongoing alignment with ISO/IEC 27001 requirements through defined, repeatable processes.

• Track, report, and communicate operational risks, control gaps, risk acceptance decisions, and opportunities for improvement to stakeholders.

Security Operations

Partnering with the Operations and Cyber Threat Analyst, maintain, and continuously improve the Firm’s Security Operations.

• Identify and implement process improvements, including opportunities for automation and operational efficiency.

• Maintain and enhance the Firm’s Information Security metrics and reporting program to measure control effectiveness and risk posture.

• Own the end‑to‑end tracking and remediation of security operational outcomes, ensuring timely resolution with appropriate teams.

Own and maintain the Firm’s Vendor and Product Risk Management Program.

• Operate a continuous vendor risk assessment program in compliance with the Firm’s Vendor Management Policy.

• Regularly review vendor payments and contracts to identify third parties not formally onboarded or under active risk management.

• Produce vendor risk and compliance reports, tracking identified gaps through remediation and closure.

• Design and manage a recurring reassessment process to ensure vendors continue to meet security and risk management expectations.

• Perform product risk assessments for new and existing technologies to evaluate security posture, data handling practices, and alignment with internal security requirements.

Lead and maintain the firm’s Business Continuity Program (BCP) and support documentation.

• Coordinate the development, review, and annual update of Business Impact Analyses (BIAs) across departments and practice groups.

• Ensure alignment between business continuity planning and IT disaster recovery capabilities.

Security Awareness & Training

• Partnering with the Operations and Cyber Threat Analyst, deliver Information Security Awareness training for all new hires.

• Develop and conduct targeted, ad‑hoc training for individuals who fail to complete required training or repeatedly fail phishing simulations.

• Partner with HR and leadership to promote a strong security‑aware culture across the Firm.

Project Subject Matter Expert (SME)

Act as a SME for initiatives and projects aimed at enhancing security compliance and operational security processes.

• Participate in process improvement efforts, tool evaluations, and automation initiatives to strengthen security operations effectiveness and compliance maturity.

• Complete assigned project tasks expertly and on time.

Required Qualifications

• Bachelor’s degree in information security, information systems, risk management, business, or a related field (or equivalent experience).

• 2 - 4 years of experience in information security compliance, risk management, IT audit, or business continuity roles.

• Working knowledge of information security frameworks and regulatory expectations relevant to professional services or law firms.

• Strong documentation, organizational, and stakeholder coordination skills.

• Ability to translate technical and operational concepts into clear, audit‑ready documentation.

Preferred Qualifications

• Experience in a law firm or professional services environment.

• Familiarity with client security assessments and outside counsel guidelines.

• Professional certifications such as CISA, CRISC, ISO 27001 Lead Implementer / Lead Auditor.

No agencies please. For questions regarding this position, please contact Julie Oates, Talent Acquisition Manager, at joates@stradley.com. Outside agencies, search firms and/or their representatives will not be compensated in any way for unsolicited candidate submissions, or submissions made through anyone other than a Legal Recruiting Department representative.

Stradley Ronon offers a competitive benefits package that includes medical, vision, dental, and prescription drug coverage; health savings account (with applicable medical plan); flexible spending accounts; life insurance; short- and long-term disability coverage; and 401(k). Additionally, the firm provides family forming and hormonal health benefits; childcare leave; backup child and adult care; pre-tax commuter benefits; an employee assistance program; a wellbeing program; vacation and other paid time off.

No agencies please. For questions regarding this position, please contact Julie Oates, Talent Acquisition Manager, at joates@stradley.com. Outside agencies, search firms and/or their representatives will not be compensated in any way for unsolicited candidate submissions, or submissions made through anyone other than a Legal Recruiting Department representative.

Stradley Ronon Stevens & Young, LLP is an Equal Opportunity Employer.