Information Security Analyst (GRC-IRM)

About The Position

Requirements

• Understanding of pragmatic information security controls and holistic defense-in-depth strategies
• Understanding of current and developing industry and information security technologies, risks, and trends
• Working knowledge of security frameworks such as SCF, NIST, ISO 27001, etc.
• Written and oral communication skills that enable effective communications to appropriate audiences
• Extreme attention to detail always leaning toward caution
• Ability to learn and retain new skills required to adapt to evolving business and technical environments
• Ability to influence and motivate others
• Ability to occasionally work during non-standard shifts and in an on-call capacity and be available for occasional travel (up to 5%)
• College degree or equivalent experience in information security or computer information systems.
• Minimum 2-3 years of information security experience, preferably in the GRC/IRM realm. Experience interpretating data from multiple sources to quantify potential risk and impact.
• Hands-on experience with Integrated Risk Management platforms supporting governance, risk, compliance, and security at an enterprise level. (e.g., OneTrust, RSA Archer, ServiceNow, etc.), common controls frameworks (e.g., Secure Controls Framework, etc.), and threat intelligence platforms, feeds, and services
• Experience identifying and addressing security risks associated with host and network operating systems (e.g. Windows, Linux, AIX, AS400, PAN OS, Cisco IOS, etc.); enterprise services (e.g. directory services, email, content management and collaboration, web publishing, database, virtualization, etc.); client-server, thin-client, and web-based applications; enterprise applications; cloud services (e.g. SaaS, IaaS, etc.); data storage, security architecture, network communications technologies and protocols, etc.

Responsibilities

• Perform effective security risk assessments of services, solutions, and vendors by (i) staying current with security risk assessment techniques and trends, (ii) performing independent research to gather and document security posture information; (iii) identifying areas of risk and evaluating for applicability and severity; (iv) tracking, updating, and centrally maintaining identified risk information; (v) identifying and recommending pragmatic risk remediation options; (vi) drafting comprehensive risk assessment reports, and (vii) collaborating with and providing guidance to business owners to ensure identified risks are managed to risk-appropriate remediation, transference, avoidance, or acceptance outcomes.
• Support defined Company operating principles; help analyze, define, implement, and administer efficient business processes related to the information security program; support a variety of security technologies in a hands-on manner; monitor service request queues and provide first tier support to internal customers, owning tickets and driving resolution; use project management best practices to initiate, manage, and close projects; and create and maintain documents related to projects and information security policies, standards, procedures, recommendations, etc.
• Analyze current and emerging security best practices, and legal and industry regulatory compliance requirements, for applicability. (Including ESG environmental, social, and governance considerations.) Stay current with associated security and industry trends, best practices, and standards. Examples include PCI DSS, SOX, HIPAA, GDPR, CCPA.
• Work with the information security management team to administer, maintain, and continuously improve applicable regulatory and internal controls compliance programs, investigate known or suspected security incidents, and support internal and external audits.
• Participate in meetings; build and maintain strong partnerships with multiple departments; participate in vendor support engagements; and other duties as required.