The Information Security Analyst is responsible for maintaining the security and integrity of data and has to have knowledge of every aspect of information security within the company. The Security Analyst is responsible for the development and oversight of security requirements involved in new initiatives or the modification and ongoing support of existing objectives and initiatives. The Security Analyst must work with business partners as well as IT professionals in implementing security controls for the organization. The position will provide security-based risk assessments of internal controls and processes, third party service providers, along with business and technology sponsored projects and initiatives. This includes working with managers and other stakeholders to develop contractual requirements, security assessments, and timely reporting of assessment results to management.
- Function as a frontline representative of Information Security leading by example, being diplomatic yet firm, fair, flexible and consistent in deploying industry standard information security best practices and applicable laws, regulations, and policies.
- Provide security-based risk assessments of business and technology sponsored projects and initiatives, including engagements with third parties.
- Provides support and guidance regarding best practice, regulatory, and legal compliance, including GLBA, GDPR, ISO 27002, NIST, PCI, and SOX.
- Use knowledge of information security standards and best practices to assist management in the creation of persuasive policy and procedures to influence security culture.
- Evaluate security controls and identify potential risk.
- Interact with all levels within the organization to ensure activities are understood and completed appropriately.
- Maintain up-to-date procedure documentation of assessments and controls.
- Work with process owners to ensure that they understand risks, and remediation plans and target dates are developed and documented.
- Initiates, facilitates, and promotes activities to create information security awareness within the organization.
- Monitor compliance with information security policies and procedures.
- Support, communicate, and reinforce the mission, values, philosophy, and culture of the organization.
- Bachelor Degree in Information Security / Assurance, Computer Science, Information Technology, or a related discipline from an accredited college.
- Demonstrated knowledge of information security discipline via relevant industry certifications (e.g., CISSP, CAP, CISM, GSNA, PCI ISA).
- Minimum of three (3) years of experience in information technology or business analysis, with at least one (1) years in an information security specific field, such as user access management, computer forensics, network perimeter security, incident response, system security, risk, audit, or other related discipline.
- Understanding of security controls, such as encryption, identity and access management, and vulnerability scanning.
- Understanding of IT compliance with regulatory requirements (i.e., GLBA, SOX, PCI) and frameworks (e.g., NIST, ISO 27002, GDPR).
- Understanding of risk and compliance assessment methodologies.
- Knowledge of network-based services, client/server applications, mobile applications, enterprise systems and infrastructure, network architecture, and security infrastructure.
OTHER REQUIRED SKILLS
- Ability to take initiative, work independently, and effectively manage multiple projects.
- Ability to build and maintain high credibility with all business partners.
- Strong verbal, written communications and task management skills.
- Ability to document and explain technical details clearly and concisely.
- Strong analytical and problem resolution skills with the ability to react quickly.
- Proven self-starter and willing to accept additional responsibilities as position expands.
- Experience performing assessments of IT internal controls.
- Experience performing process improvement analysis of IT processes.
- Experience performing information security reviews of third party service providers.
- Experience with GRC systems (ServiceNow a plus).
- Project management knowledge and experience.
- Minimum of five (5) years of experience in information technology or business analysis, with at least three (3) years in an information security specific field, such as user access management, computer forensics, network perimeter security, incident response, system security, risk, audit, or other related discipline.