Security Risk Analyst
Note: Must have prior experience in implementing security policies and standards, while being able to perform risk assessments on new applications. Experience with data protection, data mapping, etc is preferred but not required. Overview
The Senior Security Risk Analyst will be a key member of the newly formed Information Security team. This individual will actively contribute to the development and implementation of an enterprise-wide information security and risk management program, and operate as an enabler to the business. S/he will provide high-quality information security governance, risk management, and compliance services. Responsibilities
- Engage the business units, such as IT, Finance, Legal, Supply Chain, Sales, and Engineering, to identify information security risks, develop action plans and lead the implementation of controls to reduce risks.
- Develop organizational information security-oriented policies, processes, procedures, and standards in alignment with the selected information security management system.
- Develop data protection strategies that include the discovery of key business data, classification criteria, data flow maps, and protective control requirements.
- Perform gap analysis against security frameworks and security risk assessments on applications, technology projects, and third-party vendor software and solutions.
- Provide input to the overall risk management strategy, both short and long term, based on the changing threat landscape and overall business objectives.
- Develop and conduct security awareness training and related activities for the business.
- Develop, collect, manage and present monthly information security (KRI/KPI) metrics.
- Lead and foster the growth of the business security champion program.
- Conduct basic security audits.
- Minimum of 3-4 years experience in information security and risk management.
- Bachelors or Masters degree in Computer Science preferably with a focus on Cybersecurity.
- Professional information security certifications such as the CISSP, CISM, or CRISC.
- Strong knowledge of common information security frameworks, including CIS Top 20 Controls, ISO 27001, and NIST 800-53 Series.
- Knowledge and understanding of regulatory requirements and data types including ePHI, GDPR, HIPPA, and PII.
- Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to both technical and non-technical audiences.
- Exhibit strong analytical skills the ability to manage multiple projects under strict timelines, as well as the ability to work in a demanding, dynamic environment to meet overall objectives.
- Ability to led cross-functional, interdisciplinary teams to drive risk mitigations efforts.