Information Security Risk and Compliance Strategy Analyst
Status: Newly Created Position
Location: Sacramento, CA
Relocation: Some Relocation Provided
Compensation: Mid $100s
- Security Strategy: Provides recommendations for the development, documentation and maintenance of an enterprise security strategy. Will assess current security posture and provide oversight to help meet strategic security targets and goals. Provide governance over the development of internal processes for streamlining risk analysis techniques.
- Compliance and Governance: Review and research regulatory, legal, corporate and third-party security requirements and blend them into a single security and risk framework.
- Team Lead: Serve as team lead and expert in the remediation of systems and applications for certification and compliance. Support IT risk analysis, evaluations and education on IT assets and processes as it pertains to compliance and evaluate and propose solutions to mitigate risks under the established risk management strategies.
- Third-Party Risk: Evaluate risks associated with the use of third-party vendors. Review security requirements in customer and vendor contracts for compliance. Respond to security questions in RFI/RFPs to support the procurement of new customers.
- Relationship Management: Assess the alignment of the security program with business strategy, requirements and corporate risk appetite. Build relationships, increase awareness and blend business needs with security deliverables.
- Metrics and Reporting: Develop and implement tool sets to build a security metrics program that speaks in business language and demonstrates the value of information security.
- Communications and Security Awareness: Create and maintain a two-way dialogue where key security and compliance messages for all layers are crafted to build consensus and momentum, accommodating business needs and targets.
- Partnering / Collaboration: Partner with constituents with remediation planning and ensure identified gaps have been appropriately managed in order to achieve certification and/or compliance and support the definition and recommended implementation of key risk indicators.
- Regulatory Compliance: Review compliance regulations and take the lead in updating organizational IT compliance initiatives.
- US Citizenship Required. Must be eligible for security clearance.
- BA/BS in Computer Science or Information Security. Appropriate experience in place of a degree will be considered.
- Minimum of seven years of experience in Information Technology with a minimum of five years in Information Security related roles.
- Must have a current CISSP, CISA, CRISC, CISM or other equivalent information security or risk management certification.
- This position requires U.S. Citizenship and proof of favorable adjudication following submission of Department of Defense form SF86 or higher security.
- Excellent interpersonal skills, oral and written communication skills to interface with internal and external parties in a professional manner that creates confidence in his/her subject matter expertise.
- Requires five or more years of experience in Governance, Risk and Compliance (GRD) roles with at least one year of team lead experience.
- Strong knowledge of relevant compliance requirements, laws and regulations impacting data protection and confidentiality, integrity and availability of systems and data.
- Experience with HIPAA, HI-TECH, Sarbanes-Oxley and state regulations is preferred.
- Deep knowledge of recognized information security governance frameworks such as ISO, CobIT, and NIST.
- Strong analytical, planning, creative problem solving, and multi-tasking skills.
- Thorough understanding of governance concepts, approaches, controls and frameworks.
- Comprehensive knowledge of how technologies, processes and controls impact information security, risk and audit in both the information systems and corporate business environment.
- Sound familiarity with security systems (firewalls, IPS, anti-virus, encryption, authentication, etc.) as well as a solid and broad general technical foundation (networking, servers, applications, etc.).
- Strong ability to translate security and operational controls into business risk.
- Requires knowledge of information security, access controls, application and platform controls, data protection and cryptography, operations security, telecommunications, network and internet security, disaster recovery and physical security controls.