POSITION SUMMARY: Individuals within the Information Security role plan, execute, and manage multi-faceted projects related to risk management, mitigation and response, compliance, control assurance, and user awareness. They are focused on developing and driving security strategies, policies/standards, ensuring the effectiveness of solutions, and providing security-focused consultative services to the organization. These individuals provide expertise and assistance to ensure the company’s infrastructure and information assets are protected. Individuals develop security policies and procedures such as user log-on and authentication rules, security breach escalation procedures, security assessment procedures and use of firewalls and encryption routines. They perform security assessments and security attestations. To enforce security policies and procedures, they monitor data security profiles on all platforms by reviewing security violation reports and investigating security exceptions. They update, maintain, and document security controls and provide direct support to the business and internal IT groups. These professionals work directly with the customers, third parties and other internal departments and organizations to facilitate information security risk analysis and risk management processes and to identify acceptable levels of residual risk. They also communicate and educate IT and the business about security policies and industry standards and provide solutions for enterprise/business security issues. PRIMARY DUTIES AND RESPONSIBILITIES: Monitors compliance with security policies, standards, guidelines, and procedures. Ensures security compliance with legal and regulatory standards. Participates with team(s) to gather a full understanding of project scope and business requirements. Maintains awareness of current business processes and their security risks. Assists in business impact analysis to ensure resources are adequately protected with proper security measures. Follows up on deficiencies identified in monitoring reviews, self-assessments, automated assessments, and internal and external audits to ensure that appropriate remediation measures have been taken. Runs security analysis reports using commercial tools or custom scripts and documents gaps. Updates and maintains documentation for a global risk framework (a single view of the information security risk profiles and tolerance.) Captures, maintains, and monitors information security risk in one repository. Gathers, organizes, and maintains data for reporting. Assists/performs in security assessments and performs security attestations. Inspects security logs to uncover possible security violations (e.g., break-ins, unauthorized activity). Checks existing accounts and data access permission requests against documented authorizations. Supports the coordination of all IT internal and external assessment components. Provides responsive support and guidance for problems found during normal working hours as well as outside normal working hours. Escalates problems as needed. Works with teams to resolve issues that are uncovered by various internal and third-party monitoring tools. Gathers and tracks information security metrics. Generates ad-hoc and routine reports. Assists in application security risk assessments for new or updated internal or third-party applications. Provides updates and status of issues to information security teams. Interfaces regularly with staff from various departments responding to requests for assistance and information. Assists in the development and delivery of security awareness and compliance training programs. EXPERIENCE AND EDUCATIONAL REQUIREMENTS: Bachelor’s Degree in Computer Science, Information Systems or other related field, or equivalent work experience. Typically requires 5+ years of IT work experience. MINIMUM SKILLS, KNOWLEDGE, AND ABILITY REQUIREMENTS: 5+ years Strong computer skills to operate effectively with company systems and programs; working knowledge of applicable computer applications used at ABC GRC, GRC, CISM, CISSP, CISA, Audit, ISO, NIST Working knowledge of network solutions and systems Good analytical and problem-solving skills Ability to communicate effectively both orally and in writing Good interpersonal skills Ability to prioritize workload and consistently meet deadlines Strong organizational skills; attention to detail An understanding of 2 of the following standards such as ISO 27001/27002, COBIT, ITIL, NIST and PCI Strong written and verbal English language skills Must be able to work with business stakeholders during their normal working hours (typically 9:00 AM – 5:00 PM ET US)
Job Title
Risk Analyst