The Senior Enterprise Security Policy and Standards Analyst is focused on the development and ongoing maintenance of Technology and Enterprise Security policies and standards for protecting the confidentiality, integrity, and availability of information at Comerica. The incumbent evaluates the need to establish new technology/information security standards based on risk evaluations, changes in threats, technology updates, business objectives, laws, and/or regulations. This will include monitoring new laws, regulations, and industry standards that may affect how technology and information security is managed at Comerica (e.g., GLBA, FFIEC standards, PCI standards, HIPAA, Privacy laws).
The incumbent will assess gaps with Comerica's existing technology/information security controls, policies, and standards and make recommendations to management as needed for new and updated standards. This will require working directly with subject matter experts from Enterprise Security, Technology, Enterprise Risk, Legal and other business units within the bank to further assist in the recommendations and document these requirements.
This role will be responsible for interpreting, analyzing, developing, and writing policies and standards from a business and technical perspective. This includes managing the entire lifecycle of which consists of planning research, drafting, approval and publication, and communication of the policies and standards.
Position Responsibilities:
Policy & Standards Development
- Lead drafting policy documents (standards, procedures, and reference documents) ensuring clarity, accuracy, and effectiveness of the documented requirements.
- Develop and implement organizational policies to comply with applicable laws, regulations, and industry best practices.
- Coordinate with Technology, Enterprise Security business unit leaders and management to assess policy needs and develop strategies to address organizational challenges or identified requirement gaps.
- In collaboration with Technology and Enterprise Security partners, evaluate complex technologies, systems, processes and controls to identify security risks and compliance gaps.
- Facilitate policy and review meetings with stakeholders to gather feedback, discuss policy implication, and achieve consensus.
Policy Governance and Oversight
- Review new or modified technology and information security policies prior to vetting and publication and making recommendations to the Technology and Enterprise Security leadership teams. Identify, recommend, and facilitate the enhancement or modification of Technology and Enterprise Security policies based on changes in risks, organizational practices, regulations, industry best practices or technical trends.
- In collaboration with our partners, evaluate complex technologies, systems, processes, and controls to identify security risks and compliance gaps.
- Determines review schedule for Technology and Enterprise Security policies. Identifies and develops policy review teams and participate in policy reviews.
- Represents the department at working groups regarding Technology and Enterprise Security policy development and review of new technologies, designs, and remediation planning efforts.
- Investigates potential compliance failures, identifying security needs and recommends plans/resolutions.
- Understand and share the legal and ethical implications of policies, especially in terms of user privacy, data protection, and artificial intelligence.
- Assess the sensitivity of information and perform vulnerability and risk assessments based on information sensitivity and flow.
Project Management and Communication
- Manages and leads medium to large projects related to Technology and Enterprise Security such as development of new policies or complex policy revisions, large technology projects, training course development.
- Contribute to projects driven by groups both internal and external to Enterprise Security.
Ensures effective communication of changes to Technology and Enterprise Security policies to Senior leadership. - Communicate the status, risks, and issues associated with the Policy and Standards compliance program.
- Engages in a consultative role to ensure the enterprise operates securely as they navigate an evolving IT environment.
Other duties as assigned. Position Qualifications:
- Bachelor's Degree from an accredited university in Information Management, Information Governance, Risk Management, Computer Science, or other relevant disciplines OR HS/GED with 10 years Progressive Relevant Experience
- 6 years of experience in policy interpretation and development
- 6 years of experience in the development and analysis of industry best practices
- 6 years of experience with IT governance, compliance, risk, and audit programs
- 6 years of experience with GLBA, FFIEC standards, PCI standards, HIPAA, Privacy laws or similar compliance activities such as SOX, PCI, etc.
- 4 years of experience supporting audits and assessments
- 3 years of experience in IT security control development, control testing, risk remediation, and reporting
- 3 years of experience with one or more of the following: MS Office, Qualys, SIEM, Archer, ServiceNow
Work Best Category: Category C - Days in the office will either be designated days or will vary week to week from 2-5 days
Hours: 8:00am - 5:00pm Monday - Friday
Salary: To Be Determined Based on Individual Experience
About Comerica
We know our employees are critical to our overall success and we are dedicated to investing in their future. One of the ways we do this is to offer a comprehensive Total Rewards package designed to recognize and reward individual performance, as well support health, well-being, development and security for our colleagues and their family. Total Rewards consists of cash compensation, development and flexible benefit programs designed to meet individual needs today and in the future. Your salary will be commensurate with your work experience and our programs are reviewed regularly to ensure each remain competitive. We are proud to offer benefits such as health and welfare programs, strong retirement benefits, and generous paid time off programs. You and your eligible family members, including domestic partners and their children, can participate in medical, dental, and vision benefits, 401(k) and pension, income protection benefits such as life insurance, AD&D, and supplemental health programs to offset unexpected health care expenses. We also have a variety of time off programs for things like vacation, sick time, disability, and parental leave. Eligibility for some programs varies based on employment status and tenure.
Upon offer, Comerica conducts a comprehensive background and fingerprint check. Your fingerprints will be used to check the criminal history records of the FBI and may be subscribed in the FBI's Record of Arrest and Prosecution Background ("RAP Back") service, which provides ongoing notification to the Company of any updates to your criminal history.
NMLS certification requirement: where applicable, a favorable background check screening, credit check, fingerprint check, and NMLS certification is required in accordance with the SAFE Act.
Comerica Incorporated (NYSE: CMA) is a financial services company headquartered in Dallas, Texas, and strategically aligned into three major business segments; the Commercial Bank, the Retail Bank, and Wealth Management. Comerica's colleagues focus on relationships, and helping people and businesses be successful. In addition to Texas, Comerica Bank locations can be found in Arizona, California, Florida and Michigan, with select businesses operating in several other states, as well as in Canada and Mexico.
Comerica is proud to be an Equal Opportunity Employer - disability/veteran.
|
Comerica Bank
life insurance, parental leave, paid time off, sick time, 401(k)
Jul 09, 2025