Information Security Risk Analyst
3711 S. Mopac Expwy, Bldg 2 Austin, Texas 78746
Position: Information Security Risk Analyst
Location: Austin, TX
Type: Direct Hire – open to C but would have to be CTH
Interview: Phone and In Person
PURPOSE AND SCOPE: The Information Security Risk Analyst will identify, quantify, and manage risk across the organization while integrating risk management processes into business operations. This role will work directly with subject matter experts to identify risks, elicit all necessary information about the situation to form a complete understanding of the risk, work with the other members of the Risk Team to quantify and document the risk, and present the complete quantified risk to the appropriate levels of management to support their decision-making process.
PRINCIPAL DUTIES AND RESPONSIBILITIES:
- Create and implement (ISO) risk management policies, standards, and procedures and provide oversight for other Business Units based on industry best practices and frameworks.
- Development, measurement, and management of risk metrics to support GRC reporting
- Identify, implement, monitor, and enforce information security compliance, regulatory, and control frameworks
- Ongoing analysis and coordination with stakeholders to improve risk posture for business units and overall.
- Conducts risk assessments using industry standard frameworks.
- Studying risk assessments conducted by the business owners and support functions to incorporate relevant tests in assessment plans
- Builds and maintains database of risk assessment questionnaires, responses, and mappings to industry standard frameworks and regulatory requirements using TrustArc or other applicable solutions.
- Create and maintain documentation of issues/control gaps, corrective actions, and status.
- Supports the security exception management process.
- Reviewing third-party attestation and audit reports then providing feedback to business leaders and risk owners.
- Serves as a company representative with prospects, customers, and partners by assisting with completing security questionnaires, assessments and audits
- Delivery focused, willingness to perform and manage all tasks required to complete the job and meet deadlines, including administrative and documentation-oriented tasks.
- Attention to detail and thoroughness, with a focus on the completeness, accuracy, integrity, security, and confidentiality of the information handled and activities performed.
- Interacts enterprise-wide with all levels of personnel, including executives, business functional heads and technical staff
- Analyze key business processes in order to produce comprehensive risk scenarios that will be implemented by working by with and through business leaders and information security risk architecture
- Collaborating with threat and vulnerability intelligence teams to develop risk scenarios from new and emerging risks
- Conduct comprehensive analysis of risk scenarios and inform key stakeholders of findings on an ongoing basis
- Supports advancing the enterprise-wide information security risk function to create a union of business risk and information security risk
- Support awareness and accountability around IT governance, risk, and compliance control functions
- Team-oriented and will promote execution and change through influence
- Articulate information security risk into business terms
- May provide direction to peers or PM’ s leading projects for Risk Management related initiatives including ensuring delivery of business requirements and provide analysis and solutions for potential problems.
- Developing professional expertise; applies company policies and procedures to resolve a variety of issues.
- Normally receives general work instructions on routine work, detailed instructions on new projects or assignments. Work is reviewed for soundness.
- Works on problems of moderate scope where analysis of situation or data requires a review of a variety of factors. Exercises judgment within defined procedures and practices to determine appropriate action.
- Builds productive working relationships.
- May provide assistance to junior level staff with general tasks that require a better understanding of functions, as directed by immediate supervisor.
- May refer to senior level staff for assistance with higher level problems that may arise.
- Escalates issues to supervisor/manager for resolution, as deemed necessary.
- Review and comply with the Code of Business Conduct and all applicable company policies and procedures, local, state and federal laws and regulations.
- Assist with various projects as assigned by direct supervisor.
- Other duties as assigned.
- Bachelor’ s Degree required; degree in related discipline is desired (i.e., Computer Science or Computer Information Technology)
EXPERIENCE AND REQUIRED SKILLS:
- 2 – 5 years’ related experience, particularly in a combination of risk management, information security and/or technology roles; or an advanced degree without experience; or equivalent directly related work experience.
- Deep understanding of information security regulations, including Federal Information Security Management Act (FISMA), Service Organization Control 2 (SOC 2), Federal Information Processing Standard (FIPS), National Institute of Standards and Technology (NIST), IS0 27000 series, HITRUST, Cloud Security Alliance (CSA) and various other laws and regulations including Executive Orders.
- Conducted risk assessments using a variety of frameworks
- Possess demonstratable knowledge of Third-Party Assurance risk management
- Able to self-start and lead cross functional teams and deliver results with minimal supervision.
- CISSP, CRISC, CISA, CISM, or other technical certification(s) a plus
- Experience with TrustArc Assessment Manager a plus
- Working knowledge of Scripting languages a plus
- Travel required per business need.