GRC Security Policy Analyst
Posted on Dec 12, 2018 by Request Technology - Craig Johnson
Serve as a subject matter expert for Information Security, consulting to technical management (serving on project teams, discussing application and systems architectures, etc), non-technical management (educating the user community on information security) and attorneys (eg litigation-related technical education) as necessary.
Manage and support GRC technology and Security Governance solutions. Create and maintain system, procedural and support documentation.
Manage and support the 3rd Party Security Vendor Risk Management program and life cycle.
Document and perform Risk Assessments for third-parties (eg, vendors and service providers). Respond to security assessments, questionnaires and audits from clients and third-party business partners.
Create and maintain security policies, standards, processes and guidelines for approval by Firm management. Evaluate exception requests and make approval recommendations to management.
Security Awareness: assist in coordination of the program, including development of awareness content, scheduling of awareness activities and measuring progress of the program.
Vulnerability Management: collect information on emerging threats including software vulnerabilities. Coordinate triage of and response to vulnerability information. Disseminate this information regularly to firm staff and management as appropriate.
Participate in long-term strategy and planning for Information Security
Preferred candidate will have one or more of the following certifications:
Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications
GRC tool management: Administration, Engineering or both
Ability to perform as primary Security SME.
Ability to facilitate project and vendor risk assessments with relative independence and provide guidance on secure design and operation.
Ability to complete and assist in completing client security questionnaires and security assessments concerning the Firm's security program and controls.
Ability to communicate an effective security awareness message throughout the organization.
Demonstrate ability to create and maintain security policy, standard, guideline and procedure documents.
Demonstrate ability to effectively communicate deeply technical topics at an appropriate level of detail to varied audiences - including IT Subject Matter Experts, senior management and non-technical users
Strong knowledge on Security frameworks and technologies such as ISO 27001, NIST, SOC, SIG
Experience (Administration or Engineering) in GRC platforms
Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options.
Strong knowledge of risk management principles and practices.
Strong knowledge of security administration and role-based security controls.
Strong knowledge and use of GRC platforms.
Knowledge of host and network-based anti-malware technologies.
Knowledge of authentication technologies and interactions between diverse authentication platforms, both on-site and remote.
Knowledge of client and server Firewalling technologies, including configuration and administration.
Knowledge of Intrusion Detection and Prevention solutions, including configuration and administration.
Knowledge of security event management (SIEM), event correlation and analysis technologies.
Knowledge of data encryption technologies.
Strong knowledge of Intrusion Detection and Intrusion Prevention technical capabilities.
Knowledge of web filtering and email SPAM prevention techniques.
Knowledge of vulnerability assessment and forensic investigations tools.
Knowledge of mobile device security and Mobile Device Management solutions
Knowledge of Privileged Access Management technologies
Windows Authentication and Active Directory integration
Anti-Malware and AEP technologies
Security Incident and Event Management
Vulnerability management tools
Mobile Device Management
Privileged Access Management