General Position Summary
The IT Service Management & Compliance department is responsible for the oversight and coordination of all security and compliance-related functions for the Information Technology & Services (ITS) division. The IT Service Management & Compliance Analyst plays a key role in carrying out this responsibility by providing leadership in the areas of information security, compliance, and governance. The Analyst is responsible for ensuring the optimal balance between the requirements of security and compliance and operational feasibility.
The security and compliance responsibilities of the department will be executed within the framework developed and maintained by the IT Service Management & Compliance Manager, the IT Service Management & Compliance Analysts in order to ensure consistent application of security and compliance requirements across the ITS organization. The Analyst is responsible for developing and maintaining the architecture of this framework for the department.
The IT Service Management & Compliance Analyst provides technical assistance and mentoring to Analysts in the completion of complex assignments. In this role, the Analyst provides oversight and guidance to ensure cyber assets maintain the required level of auditable security controls configuration and that Analysts have a clear understanding of internally and externally-defined compliance requirements. Additionally, the IT Service Management & Compliance Analyst is called upon to serve as the lead for various projects and initiatives related to the functions and responsibilities of the IT Service Management & Compliance Department, as required.
In order to effectively perform these responsibilities, the IT Service Management & Compliance Analyst must have effective communication skills, a proficiency in developing effective processes, a strong understanding of information security fundamentals and principles, a deep understanding of the NERC CIP and SSAE 16/18AS compliance requirements and audit processes, and a broad understanding of all areas of information technology. They must be able to identify preventative and corrective actions and understand audit quality evidence standards.
Essential Duties and Responsibilities
• Participate in managing the ITS divisional relationship with Internal Audit, NERC & Regional Coordination, CIP Compliance as well as Security Management
• Responsible for actively identifying opportunities for communication and training for ITS staff
• Responsible for participating in the development and delivery of training material
• Participate as a reviewer of all new documentation and proposed revisions to existing documentation related to security and compliance
• Establish and maintain framework for ITS documentation related to security and compliance matters
• Responsible for preparation and/or review and sign-off on remediation activities as defined as a result of forensics on cyber incidents and compliance findings
• Responsible for Preparation and/or review and sign-off on remediation activities defined as a result of internal and external penetration tests, vulnerability assessments and audit findings
• Responsible for preparation and/or review and sign-off on proposed management responses to Internal Audit findings
• Represent ITS Service Management & Compliance on the Security Risk Assessment Board (SRAB) and System Engineering & Design (SED)
• Define and maintain security, compliance and evidentiary requirements for system and software design in conjunction with Security Management organization
• Oversee the security controls architecture, design and development for all new systems and enhancements to existing systems
• Work closely with ITS Service Management & Compliance manager to develop effective strategies and processes to support the evolution of security and compliance practices within ITS
• Lead for the creation, modification and implementation of ITS control activities to ensure compliance with new versions of the NERC CIP standards
• Lead role in audits by Regional Entities for those compliance requirements owned by ITS
• Lead the team in delivering against mitigation plan milestones and security control inspection and testing.
• Provide technical guidance and support to ITS Service Management & Compliance Analysts as appropriate and in conjunction with the manager
• Participate in and/or provide oversight in security assessments conducted by ITS Service Management & Compliance Analysts
Characteristics and Qualifications
- BS, Computer Engineering, Computer Science or Information Systems
- At least 4 years of experiencesecurity controls and overseeing compliance to externally defined standards such as NERC CIP, SAS 70, SOX 404, or HIPAA
- Experience with Enterprise Password Vaulting technologies not Cyber-Ark specifically
- Ability to produce high-quality work products with attention to detail
- Experience in quantitative and qualitative analysis
- MBA, Business Administration
- Experience with PJM operations, markets, and planning functions
- Experience supporting any of PJM Committees
Job ID 2017-2918