Reporting to the Chief Information Security Officer, the Information Security Analyst – Compliance is responsible for the day-to-day administration of the information security compliance activities of the Enterprise and its subsidiaries; including the maintenance of the information security program to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the Enterprise's digital ecosystem; and that the Enterprise’s compliance processes and procedures remain current with regulatory and industry requirements. These responsibilities encompass Information Security Policies & Standards, Enterprise Security Awareness and Testing, Vendor Due Diligence, Annual Audit Support and Technology Risk Management, including Disaster Recovery and Business Continuity. The Information Security Analyst – Compliance supports the CISO in identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing the Enterprise's business objectives. Technical Information Security activities are managed separately in Security Operations.
The ideal candidate must possess two to four years of experience in information technology or information security with a strong background in processes and best practices in information systems, information security and/or network security. Strong written and oral communication skills, the ability to work in a team environment and a collaborative attitude is required. Additionally, working knowledge of information security controls as defined by leading practices (NIST, ISO 27000, COBIT) and regulatory requirements (FFIEC, PCI-DSS), risk assessments and the ability to perform and/or manage information security audits are also requirements for this role.
- Conducts quarterly audits of various system and user accounts to determine user removal, transfer and/or limitation of access
- Conducts periodic compliance audits of Hardware and Software Asset Inventories
- Serves as subject matter expert for the information security critical processes and associated rules, and ensures the processes align to regulatory, statutory and industry requirements and Enterprise policy.
- Assists the CISO with defining and executing the annual risk assessment plan; and obtaining signoff from key stakeholders across the Enterprise.
- Keeps current with emerging security issues, trends, and tools.
- Conducts security awareness activities including employee awareness training and internal phishing campaigns using the Enterprise’s Social Engineering Platform. Coordinates annual National Cybersecurity Awareness Month program and activities.
- Coordinates annual internal and external penetration tests, and remediation efforts.
- Reviews application security logs; such as Horizon 360
- Schedules and coordinates annual information security audit activities with regulators, vendors and Internal Audit.
- Schedules and coordinates annual information security testing activities (DR/BCP/IRP) with business stakeholders, IT, and vendors. Ensures summary reports are completed.
- Conducts Vendor Management information security due diligence activities, including review of SSAE18 and other relevant reports. Compiles Complementary User Entity Control (CUEC) documentation where shared control responsibilities exist.
- Coordinates annual review and update of Information Security Policies and Procedures.
- Coordinates annual review and update of the Enterprise’s contingency plans, including Disaster Recovery Plan (DRP), Business Continuity Plan (BCP), and Incident Response Plan (IRP).
- Coordinates Annual GLBA testing and ensures summary reports to the CISO and Board of Directors are completed.
- Assists CISO with conducting vendor security reviews, as requested.
- Conducts physical security and “clean desk” reviews of all locations.
- Assists with gathering IT security metrics to measure the effectiveness of the security program.
- May be required to perform additional duties as needed.
- Supervisory Responsibilities: This position does not include supervisory responsibilities
- Bachelor's degree or higher from an accredited college or university in a technical field (Computer Science, Management Information Systems, Engineering) and/or equivalent experience.
- Minimum of 2 to 4 years of experience in a combination of information security, risk management, information technology and governance roles.
- Professional security management certification(s) in current standing, such as Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Security +, SANS GIAC Certifications, or other similar credentials.
- Working knowledge of common information security management and governance frameworks, such as ISO/IEC 27001, NIST (including 800-53 and Cybersecurity Framework), Cloud Security Alliance, Center for Internet Security, SANS Top 20 Critical Security Controls, COBIT, COSO and/or other leading practices frameworks.
- Working knowledge of information security risk management and cybersecurity technologies.
- Knowledge and understanding of relevant legal and regulatory requirements including FFIEC, GLBA, Red Flag, State privacy regulations, and PCI-DSS.
- In-depth background in information security policies and procedures, including knowledge of software development security practices (DevSecOps) and third-party oversight.
- Experience maintaining and executing disaster recovery programs, incident response programs, business continuity programs, security incident playbooks, plan testing scenarios and communications plans.
- Excellent communications skills, both written and verbal, including the ability to create and deliver technical presentations to technical and non-technical staff, and communicating with operational, executive and Board-level management.
- Excellent analytical and problem-solving skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- Excellent stakeholder management skills. Ability to assume leadership and management responsibilities in a matrix support organization.
- Working knowledge of Information Security Risk Assessment processes.
- Experience with vendor management due diligence practices.
- Experience with vulnerability and patch management.
- Experience with IT Asset Management
- High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity.
- Poise and ability to act calmly and competently in high-pressure, high-stress situations.