Knowledge & Experience (3-5 years’ experience)
- Strong working knowledge of information security principles and best practice frameworks
- Knowledge of risk management tools and architectures
- Experience facilitating risk identification sessions including face to face interviews and electronic data gathering and analysis
- Knowledge of encryption best practices specifically related to the storing, processing and transmitting of confidential data elements.
- In depth knowledge of network technologies to include wireless, wired and remotely disbursed networks. In depth knowledge of third party connection scenarios and compensating controls also required
- Ability to comprehend complex technical topics quickly
- Ability to discuss complex topics with both technical and non-technical personnel
Ability to participate and be accountable to a team atmosphere – act as a team member within a group of information security /compliance professionals
Technical certification in IT auditing and/or information security a plus, including two or more of the following:
- CISSP, CISA, CISM, GSEC, EnCase, PCI-QSA, Security+
- Technical certification in IT auditing and/or information security a plus, including two or more of the following:
- Strong working knowledge of COSO, COBIT or similar information technology governance/control frameworks.
Demonstrated progressive professional experience with one or more of the following:
- Sarbanes Oxley IT General Controls audit
- Payment Card Industry Data Security Standard assessment
- Internal Audits focused on Information Technology General Controls
- Information security governance and risk assurance and assessment programs.
- Ability to work independently, meet critical and frequent deadlines; strong project management skills.
- Ability to develop innovative solutions and lead changes in implementing new processes or practices
- Very strong interpersonal, organizational, verbal and written communication skills
- Adaptability; self-starter; team player and team leader; quality minded; focused; committed; work independently.
Essential Job Functions:
Strategy & Planning
- Maintain an awareness of existing and proposed security standards, state and federal legislation and regulations pertaining to information security.
Monitor regulatory trends to keep the department informed of future compliance requirements
- Assist in the scoping of projects and developing proposals; clearly and formally document risks and collaborate with project managers and business owners to address risks
- Provide input to information security policy governance process; make recommendations for new policies or changes to existing policies based on regulatory and risk trends
Assessments and Remediation
- Participate in infrastructure design and reviews and provide technical analysis of information security requirements necessary for the protection of all information processed, stored or transmitted by systems and applications
- Identify potential vulnerabilities within an application and risk impacts to other applications or underlying infrastructure and recommend suitable controls and countermeasures to mitigate such vulnerabilities
- Interact with customers and third parties in performance of risk assessments to identify and quantify potential exposures related to services provided to the customer and third party; document and recommend mitigation actions to management.
- Interact with process owners and subject matter experts for the purpose of risk and controls analysis, identifying deficiencies, developing alternatives, building consensus, and supporting implementation of solutions.
- Perform Data Classification – properly classify and label data according to policy.
- Conduct routine hardware and software audits of network and security devices for compliance – test against established customer standards, policies, procedures and configuration guidelines
- Develop and maintain IT general control and IT testing documentation, execute ongoing controls monitoring activities, and coordinate controls testing and reporting
- Track and report corrective action for identified deficiencies, execute follow-up validation of remediated controls, and perform walkthroughs of key IT controls and processes
Act as liaison between internal/external audit and compliance teams and/or assessment teams and departmental staff; recommend process improvements to address controls deficiencies
- Interact with customers’ internal/external audit and compliance department during scoping, planning, execution and follow-up of internal controls testing and audits for regulatory compliance.
- 2-5 years previous experience as a consultant working with mid-large level organizations is highly preferred
- Experience with enterprise security policies and compliance processes.
- High level understanding of server/database/application administration, access management, change management, system development life cycle.
- Proficient in advanced MS Office Suite, Visio and MS Project
- Working knowledge of basic Windows 7 client and server troubleshooting and well as Exchange 2010
- Strong working knowledge of networking including routers, TCPIP, network trace capturing (Wireshark, tcpdump, etc.)
- Experience working with network border components such as firewalls, IPS/IDS, switches and routers
- Experience working with log monitoring systems or components such as Snort, ArcSight, LogLogic or other Managed Security Service Provider (MSSP)
Education and Experience:
- Bachelor’s degree (B.A. or B.S.) from four-year college or university; or equivalent training, education and experience.