Sr Analyst, Information Security - SOC

Lowe's Companies, Inc.•Mooresville, NC

6d•Onsite

About The Position

This position is based at our headquarters in Mooresville, North Carolina. Our corporate office is a space where you can collaborate and do your best work. Take a walk, grab a bite (or a cup of coffee), work out or get a check-up – we invest in you so you can find your inspiration. Your Impact The primary purpose of this role is to lead the implementation and ongoing delivery of information security tools and processes. This includes responsibility for creating, executing, and improving processes and procedures with limited direct guidance from more senior level security associates. This role solves complex problems while creating and optimizing processes and often takes a lead role in implementing new services and technologies. This role requires a strong understanding of most tools and processes supported by the team, including many of the key integration points with other parts of technology, works mostly independently, and provides coaching and direction to more junior level associates. When focused on Identity & Access Management (IAM), this role delivers timely, accurate, and controlled system access for the company's global workforce. This includes creating and maintaining processes, tools, controls, and governance mechanisms such as roles, reports, metrics, and issue resolution services. When focused on Security Architecture, this role is dedicated to the evaluation and enhancement of robust security solutions and frameworks. This includes developing and maintaining comprehensive security architectures, ensuring alignment with industry standards and best practices. When focused on Security Threat & Vulnerability, this role executes processes focused on vulnerability identification or remediation. This includes information security and risk activities such as oversight of vulnerability assessments and remediation programs serving both internal and external stakeholders. When focused on Security Governance, Risk, and Compliance (GRC), this role completes activities that help drive awareness and adherence to information security policies and standards.

Requirements

Bachelor’s degree in computer science, computer information systems, engineering, business administration, cybersecurity, or related field or equivalent years of experience in lieu of education requirement, if applicable
4 years of experience in information security

Nice To Haves

IT experience in the retail industry
Hands-on experience on GRC applications & TPRM tools (e.g., Archer, LogicGate, SAP GRC, OneTrust, ProcessUnity, ServiceNow, BitSight, Prevalent, Black Kite, etc.)
Experience with vulnerability identification & penetration testing tools
Experience with vulnerability management in public/hybrid cloud environments.
Experience with IAM technology implementation and operations (e.g., CA, Sailpoint, OKTA, SSO, MFA, IGA, Microsoft AD) (specific to IAM role)
Experience developing cybersecurity or information assurance policies, standards, awareness training, or equivalent issuances (specific to Security GRC role)
Payment Card Industry Internal Security Assessor (PCI ISA)
Certified in Risk and Information Systems Control (CRISC)
Offensive Security Certified Professional (OSCP)
GIAC Penetration Tester Certification (GPEN)
Practical Network Penetration Tester (PNPT)
eLearnSecurity Certified Professional Penetration Tester (eCPPT)
Certified Third-Party Risk Professional (CTPRP)
Certified Third Party Risk Assessor (CTPRA)
CompTIA PenTest+ Certification
Or other relevant information security certifications

Responsibilities

Analyze data to detect trends, determine metrics, assess adherence to processes, make recommendations. and present results to information security and business leaders and/or vendors.
Serve as an escalation point and mentor for junior staff.
Maintain an awareness of information security news and trends and research current technologies to assist in development of new capabilities.
Consolidate security related findings, track OKRs, and present results to information security and business leaders and/or vendors.
Translate and document business needs into technical requirements and solutions.
Advise users and team members on execution of processes, interpret standards and regulations, and assist with solutions.
Create, execute, and improve processes and procedures in areas that include IAM, security policies, standards and controls creation and management, compliance management, risk management, training, and vulnerability assessment and remediation.
Support IAM services by performing complex access provisioning, access reviews, role creation, and end user support.
Complete high complexity account lifecycle management and application on-boarding to the IAM services, provisioning, access governance, role-based access creation, privileged access governance, and end user support for IAM and access-related service issues.
Draft, apply, and interpret regulatory compliance standards and security policies, and advise on matters of compliance and solution options.
Partner with senior key stakeholders to develop or update information security documents, such as policies, standards, procedures, and training.
Analyze complex technical and business requirements from a security perspective and make appropriate recommendations to reduce the over-all risk to the company.
Design, develop and implement information security awareness and training programs tailored to the company's needs, objectives, and target audience. (governance)
Establish, monitor, and update an effective information security governance framework that defines roles, responsibilities, and decision-making processes in collaboration with relevant stakeholders and in alignment with industry best practices. (governance)
Implement and maintain a robust change and configuration management process, ensuring that all updates, revisions, and changes are documented, tracked, and approved in a systematic manner. (risk)
Conduct online and onsite third-party risk assessments to identify and evaluate potential risks, including cybersecurity, regulatory compliance, financial stability, and operational risks. (risk)
Work with vendors to address identified risks, establish risk mitigation plans, and monitor the implementation of remediation actions till closure. Ensure accurate and up-to-date records of assessments and associated risk mitigation activities. •(risk)
Develop TPRM metrics and dashboard to provide visibility into the vendor’s risk posture and recommend improvements. (compliance)
Develop, implement, execute, and enhance the organization's IT compliance program. Ensure compliance with regulatory requirements, internal policies, and deadlines.