Information Security Risk Analyst
The Information Security Risk Analyst is responsible for developing and deploying appropriate risk and controls assessments. This position will coordinate with other Information Security Analysts and Risk Analysis to understand and maintain an effective information security control library. Person will be responsible for ensuring all risks above the enterprise risk appetite have been properly documented in the Issue Management system and provide metrics to the Information Security Officer.
- Risk Assessment Methodology (30%)
- Ensure the risk assessments performed meet or exceed the current standards set by Enterprise Risk Management.
- Develop process for interviewing business units to properly identify risks associated with assets or processes.
- Ensure consistency on how inherent likelihood, inherent impact, and control effectiveness are applied to risks across multiple assets categories or similar processes across multiple business units.
- Ensure control effectiveness uses industry standards recommendations for controls appropriate with the size and complexity of the organization.
- Work with other Information Security Analysts to build and maintain a control library.
- Risk Assessment Processing (30%)
- Lead the risk assessments and ensure they are completed timely in accordance with the schedule set by the Information Security Officer.
- Ensures proper policies, procedures, risk mitigation activities, and operating controls are followed. Reports gaps in policies, procedures.
- Issue Management and Metric Reporting (25%)
- Ensure risks above the enterprise risk appetite are entered into the Issue Management system and include proper documentation for corrective actions.
- Review completed mitigations in conjunction with other Information Security Analysts and ensure updates are appropriately made to the Issue Management system.
- Build metrics on risk mitigation activities and accepted risks designed to inform senior leadership on the current observed risk levels.
- Risk Training (15%)
- Provide recommendations to the ISO and the Director of Enterprise Risk Management to ensure training appropriate to the size and complexity of the organization is available for business units leaders.
Specialized or Technical Knowledge and Skills:
- A Bachelor’s Degree in information technology or computer science is required. Candidates without a bachelor’s degree will be considered who can demonstrate equivalent work experience or training.
- CISSP or CRISC certification is required. Candidates without this certification will be considered, however they will be required to obtain certification within the first year of employment.
- At least 5 years of experience in information technology or information security field required.
- Person should have experience and be able to demonstrate knowledge of PCI-DSS and NIST RMF.
- Valid driver’s license is required as the position will be required to travel to various locations to complete assessments.
This position is located in Beavercreek, OH. View the Google Map in full screen.