Principal Cybersecurity Risk Analyst

Description

Potential temp to perm.

Job Overview

• The Principal Cybersecurity Risk Analyst (PCSA) will lead project and technology-based risk assessments within the environment, lead technical and nontechnical third party risk assessments, and recommend mitigating action or controls.
• The PCSA will further identify and convey information security, physical security, business continuity, and, IT operational requirements to project teams, and the Sourcing department in support of new contracts and ongoing engagements.
• The primary responsibility of the PCSA is to oversee and monitor mitigation strategies for information security risks.

Major Responsibilities

• Lead third party vendor risk, project risk, or technology risk assessments. Oversee the assessment of the adequacy of a vendor's security program to safeguard client data. Communicate with business and IT regarding security risks and deficiencies.
• Lead ongoing security assessments to validate appropriate controls are in place. Review Vendor reports to acknowledge findings from the security assessments and document remediation action plans. Ensure proper evidence is gathered to facilitate timely closure of remediation plans.
• Provide Information Security consulting and subject matter expertise on third party service contracts and/or Sourcing arrangements and internally to junior analysts.
• Lead the development and improvement of security processes, assist in metrics development, both within the technology and business organizations. Continuously review and improve the TPRM program, with the intention of improving the efficiency of the workflow as well as the quality of metrics development and reporting.
• Lead cross-functional teams to serve as the facilitator between the Information Cyber Security Office and the broader organization. Act as a security advisor and ensure an ongoing awareness of identified risks.
• Collaborate with internal ICSO teams to utilize expertise to identify evolving security threats and provide in-depth understanding of "if, how, and when" they should be addressed. Conduct technical research to aid in threat assessment.
• Lead the evaluation and assessment of supplier criticality and review changes in scale and scope of services contracted with supplier for material impact.
• Actively promote commitment to izon client’s Information Security, Enterprise Risk Management and Audit initiatives, as well as its culture of compliance.

Internal Relationships:

• Legal Affairs, IT Governance, or IT Security Operations
• Internal Customers/Users
• Internal clients and constituents

External Relationships:

• 3rd Party Suppliers/Vendors
• 4th Party Suppliers/Vendors
• External Customers

The information above is intended to describe the general nature of the work being performed by each incumbent assigned to this position. This job description is not designed to be an exhaustive list of all responsibilities, duties, and skills required of each incumbent.

Qualifications

Education/Experience

• HSD or GED required, Bachelor Degree preferred (or equivalent work experience)
• Third party, technology, and project risk assessment experience
• Experience with Governance, Risk, and Compliance tools
• 5 year experience in Risk Management with advanced understanding of Third-Party Risk Management.
• 7 years of experience in an Information Technology Audit/Information Security

Proficient working knowledge within the following risk domains/technologies:

• Change Management
• IDS/IPS technologies
• Firewall technologies
• Network Architecture
• Vulnerability Management
• System/Access Administration
• Key Management/Tokenization
• Database and application security

Additional Licensing, Certifications, Registrations

• CISSP, CISA, CRISC or equivalent;

Knowledge:

• Requires a solid understanding of IT security concepts with an emphasis on Security and Risk Assessment.
• Requires solid knowledge of IT and computer systems.
• Requires familiarity with HIPAA security rules and National Institute of Standards and Technology (NIST) standards

Travel (If Applicable)

• Conduct on-site/virtual security assessments to measure the effectiveness of the third parties current control environment. (Some travel may be required.)