He/she will provide direct support to the GIS Director, Risk, Engineering & Architecture and follow up on necessary action items for the GIS Director, Risk, Engineering & Architecture team, and provide subject matter expertise from a security risk management perspective as needed
Responsibilities include, but are not limited to:
- Assess, track document, and report on information security risks and controls
- Conduct application, project, contract and third-party risk assessments and continuous monitoring of key risk indicators and key performance indicators
- Execute the full lifecycle of third party assessments against third parties on an ongoing basis
- Monitor, evaluate, and maintain systems and procedures to assess security risk of project, application, contract, and third-party information security risk assessments
- Maintain process for tracking and reporting on risk through risk register solution
- Enhance and maintain the enterprise vulnerability management program
- Educate and communicate security requirements and procedures to IT system owners and others
- Write and edit reports, and other documents to transfer information regarding security risks and controls to executives, project managers, system owners, business unit managers and others
- Demonstrated experience in information security, security products/systems, security risk analysis or other directly related technical experience
- Strong analytical, interpersonal and communication skills Successfully applies security principles to a diverse range of risk scenarios to coordinate acceptable solutions between business needs, technology operations, and information security best practices.
- Assist in designing and supporting the overall security architecture of the enterprise systems environment
- Interface with the GIS Operations team regularly to assist in operationalizing and integrating ongoing incident response and cyber intelligence outputs into necessary infrastructure/tools
- Prepare system security reports by collecting, analyzing, and summarizing data and trends.
- Determine security requirements by evaluating business strategies and requirements; researching information security standards; conducting system security and vulnerability analyses and risk assessments; studying architecture/platform; identifying integration issues; preparing cost estimates.
- Update job knowledge by tracking and understanding emerging security practices and standards; participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations
- Expectation of off-hours support, responsiveness and availability in response to security related incidents, material developments which could create risk to the Company, known threats etc.
- Bachelor’s degree in Computer Science, Information Systems, other related field; or equivalent work experience
- Minimum of three years of information security experience in a corporate or consulting environment
- Minimum of two years of information security risk experience in a corporate or consulting environment
- Demonstrated exceptional passion and drive for cyber security as evidenced by self-driven past accomplishments that had significant positive impact to shareholders preferred
- Knowledge of compliance regulations (e.g. GDPR, PCI, SOX)
- Any one or more of the following preferred
- Certified Information Systems Security Professional (CISSP) from ISC2
- (any) Global Information Assurance Certification (GIAC) from SANS
- Knowledge of common information security management frameworks and practices such as ISO/IEC 17799:2005 and ISO/IEC 270xx, National Institute of Standards and Technology (NIST), and the United States Computer Emergency Readiness Team (US-CERT)
- Effective technical skills to understand the ramifications of various system security recommendations and decisions
- Excellent oral/written communication, problem solving and analytical skills
- Ability to work independently and as part of a team to achieve desired objectives and project results
- Ability to interface effectively and decisively with all levels of management, departments and outside vendors.