|Location||Mounds View, MN|
|Date Posted||July 1, 2019|
Our client is currently seeking a Information Security Analyst
Top things in an ideal candidate:
- Previous experience with assessing third party/vendor IT security risk
- Great written and verbal communication skills
- Strong understanding of IT security controls
- CISSP certification is a plus
Must have third-party security risk assessment experience.
Can work remotely up to 60% of the time.
Mgr wants to hire this position as soon as he can.
The Global Privacy and Security Office risk assessment team partners with IT, business, and project teams to perform security risk assessments for applications, infrastructure, and vendor / third parties. This position will focus on performing risk assessments for internal and external partners through reviews of security requirements, policy and technical controls, and tracking of security exceptions and remediation.
This is an individual contributor role responsible for conducting internal and external information security risk assessments, including identifying and communicating information security risk, providing recommendations for risk reduction, and tracking and resolving security issues of advanced complexity. This position requires an ability to analyze complex projects and to identify relevant security risk and security policies and gaps. This role works independently with project teams and requires advanced oral and written communication skills.
- Work independently with end-users and business partners to assess the business customer requirements, match these requirements to objectives and guide them to the applicable processes and products including developing specifications and enhancements that will achieve the customers and business goals.
- Perform hands-on IT security risk assessments of both new and existing in house and vendor-based systems.
- Prepare formal written reports to communicate assessment results
- Document and communicate recommended security controls and deficiencies.
- Contribute to company standards and policies related to IT security risks.
- Monitor third party vendor deficiencies and policy exceptions and provide solutions to mitigate risk and remediate control deficiencies.
- Assess the security controls and residual risks of applications and systems, to effectively communicate those controls and risks, and to work collaboratively across the enterprise to reduce the identified risks.
- Perform interviews, analyze design documents, review output from automated scanning tools, assess threat and vulnerability information to evaluate project and process designs, applications, network infrastructure and information systems, and determine security compliance and overall security risk, based on corporate policies, security requirements documents, industry common practice, and legislative and legal requirements.
- Coordinate and perform holistic security audits and vulnerability assessments to assess internal security procedures and compliance requirements.
- Work with relevant internal IT Application, Infrastructure, Network, Project and Support teams to ensure that appropriate security controls are identified and implemented at all significant and relevant phases of all IT processes.
- Manage the expectations of the customer (i.e. balance their needs with wants and educate as appropriate).
- Develop solutions to problems of unusual complexity, which require a high degree of ingenuity, creatively, and innovativeness. Challenges are frequently unique and solutions may serve as a precedent for future decisions.
- Analyzes complex issues and significantly improves, changes, or adapts existing methods.
- Market and communicate program vision to project teams, key business stakeholders, and executive leadership.
- Communication planning, information distribution, performance reporting, and administrative closure.
- Oversee the translation of functional business requirements to technical solutions and articulate these solutions to high-level audiences.
- Provide detailed functional knowledge and maintain insight to current industry best practices and how they can be applied to the company
- Ensure that company's systems and the information on them are protected in accordance with company's Information Protection Policies and Standards, as well as best Information Protection practices.
- Works with very little direction towards predetermined long-range goals and objectives.
- Work checked through consultation and agreement with others rather than by formal review of superior.
- Establishes streamlined processes and structures that accelerate change initiatives; plays a leadership role in change efforts
- Translate business and IT security and privacy requirement to solution designs and implementation plans.
- Follow the Global IT engagement management model as well as ensure it is aligned with corporate engagement models
- Escalate security and privacy issues as appropriate
IN ORDER TO BE CONSIDERED FOR THIS POSITION, THE FOLLOWING BASIC QUALIFICATIONS MUST BE EVIDENT ON YOUR RESUME
- GED/High School Graduate
Years of Experience
- 15+ years of IT experience with a GED/High School Graduate
- 11+ years of IT experience with Associate Degree
- 7+ years of IT experience with a Bachelor’s Degree
- 5+ years of IT experience with a Master’s Degree
- Bachelor’s Degree
- Experience creating risk mitigation strategies
- Strong demonstrated knowledge of IT risk management gained as a practitioner
- Five years of experience with Information Security and Risk related processes, technologies and toolsets
- Proven experience performing controls testing in compliance and vendor related audits or assessments for a large organization
- Extensive knowledge of security and privacy law/regulations, especially SOX, PCI, GLBA, HIPAA
- Extensive knowledge of Industry Information Technology Standards and Control Frameworks (NIST, ISO 27000 series, COBIT, COSO, etc)
- Broad knowledge of many aspects of information security with in-depth understanding and hands-on experience of many of the following areas: Firewalls, IDS/IPS, VPN, Authentication technologies, Web Filtering, Proxy Firewalls, network taps, and tap aggregators
- Information Security, Privacy and Governance, Risk & Compliance (GRC) certifications a plus (SSCP, CIA, CISA, CISSP, CRISC, CISM, CIPP, GIAC etc.)
- Extensive background in all aspects of information security, technology governance and compliance processes.
- Expert knowledge in risk assessment methodologies, security frameworks and relevant global regulations.
- Possess highly developed skills in information security risk management in a complex, networked environment.
- Expert knowledge of security techniques and technologies.
- Strong capability to research and evaluate emerging technologies.
- Strong understanding of the software/hardware/tools to support and manage the IT Security environment
- Strong written and oral communication skills, including facilitation and an ability to explain complex concepts to technical and non-technical areas in the organization
- Ability to work independently with minimal supervision.
- Creative problem-solving skills and capability to understand complex technical issues and new technologies in a fast-paced work environment.
- Knowledge of a broad range of technologies including, but not limited to: Endpoints – Desktop, Laptop, Servers, and Mobile – Hardware and OS, Networking – Voice and Data, Storage and Databases, Virtualization, Middleware and Web, Cloud – Internal and External/Public – Infrastructure and Software
- Identity and Access Management – Active Directory & LDAP – Federation & SSO
- Vulnerability Scanning and Penetration Testing
- Knowledge and understanding of different security products (web/email filtering, disk encryption, IDS/IPS, antivirus, vulnerability scanning, DLP, firewall, SIEM etc.)
- In-depth knowledge of networks and systems with ability to understand security requirements documents for such assets as routers, switches, firewalls, Windows and UNIX systems, database systems, applications, and security architectures
- Understanding of IT Health regulatory environment including HIPP, PHI and PCI-DSS
- Demonstrated knowledge of information security and privacy concepts, best practices, and strategies
- Excellent judgment and decision making skills when under pressure
- Sound business and technical acumen
- Experience with Lockpath Keylight or other GRC tools (i.e. Archer, Agilliance, BWise, BPS, Chase Cooper, Paisley, etc.) to understand, evaluate and quantify risk.
- Familiarity with Risk Assessment methodologies
- Knowledge of software development methodologies, application security, and OWASP guidelines
- Experience with incident response and forensics
- An understanding of ITIL concepts (foundation knowledge or above) and procedures.