information security analyst

Company Overview:

Responsible for (i) working with the information security management team to support the Company's information security programs, maintain Sarbanes-Oxley (SOX), HIPAA, and PCI DSS compliance programs, and support a variety of systems and applications, (ii) contributing across a variety of IT projects, and (iii) as a team member, recommending, designing, implementing, supporting, etc. pragmatic information security controls that meet dynamic tactical and strategic information security objectives. Primary focus is governance, risk, and compliance ("GRC") / integrated risk management ("IRM") processes, solutions, and support.

Job Details:

Duties & Responsibilities:

• Perform or support effective security risk assessments of services, solutions, and vendors by (i) staying current with security risk assessment techniques and trends, (ii) performing independent research to gather and document security posture information; (iii) identifying areas of risk and evaluating for applicability and severity; (iv) tracking, updating, and centrally maintaining identified risk information; (v) identifying and recommending pragmatic risk remediation options; (vi) drafting comprehensive risk assessment reports, and (vii) collaborating with and providing guidance to business owners to ensure identified risks are managed to risk-appropriate remediation, transference, avoidance, or acceptance outcomes.
• Support defined Company operating principles; help analyze, define, implement, and support efficient business processes related to the information security program; support a variety of security technologies in a hands-on manner; monitor service request queues and provide first tier support to internal customers, owning tickets and driving resolution; use project management best practices to initiate, manage, and close projects; and create and maintain documents related to projects and information security policies, standards, procedures, recommendations, etc.
• Analyze current and emerging security best practices, and legal and industry regulatory compliance requirements, for applicability. Stay current with associated security and industry trends, best practices, and standards. Examples include PCI DSS, SOX, HIPAA, GDPR, CCPA.
• Work with the information security management team to support and continuously improve applicable regulatory and internal controls compliance programs, investigate known or suspected security incidents and support internal and external audits.
• Participate in meetings; build and maintain strong partnerships with multiple departments; participate in vendor support engagements; and other duties as required.

Knowledge, Skills and Abilities (KSAs):

• Understanding of pragmatic information security controls and holistic defense-in-depth strategies
• Understanding of current and developing information security technologies and trends
• Working knowledge of security frameworks such as NIST, ISO 27001, etc.
• Written and oral communication skills that enable effective communications to appropriate audiences
• Focus on attention to detail, always leaning toward caution
• Ability to learn and retain new skills required to adapt to evolving business and technical environments
• Ability to influence and motivate others
• Ability to occasionally work during non-standard shifts and in an on-call capacity and be available for occasional travel (up to 5%)

Qualifications:

Work Experience &/or Education:

• College degree or equivalent experience in information security or computer information systems.

Minimum 1-2 years of information security experience, preferably in the GRC/IRM realm. Hands-on Navex (formerly LockPath) Keylight experience and/or certifications preferred
- Practical working knowledge of GRC/IRM workflow, asset, and process management platforms (e.g., Navex [Lockpath] Keylight, RSA Archer, MetricStream, ServiceNow, etc.), common controls frameworks (e.g., UCF, Adobe CCF, etc.), and threat intelligence platforms, feeds, services
- Experience identifying and addressing security risks associated with host and network operating systems (e.g. Windows, Linux, AIX, AS400, PAN OS, Cisco IOS, etc.); enterprise services (e.g. directory services, email, content management and collaboration, web publishing, database, virtualization, etc.); client-server, thin-client, and web-based applications; enterprise applications (e.g. Lawson); cloud services (e.g. SaaS, IaaS, etc.); data storage, security architecture, network communications technologies and protocols, etc.