IRM Cyber Security Analyst/Senior IRM Cyber Security Analyst

This position is posted at 2 levels, there are two positions.

IRM Cyber Security Analyst / Senior IRM Cyber Security Analyst

Evaluates, tests, recommends, develops, coordinates, monitors and maintains information systems (IS) and cyber security policies, procedures and systems, including access management for hardware, firmware and software. Ensures that IS and cyber security architecture/designs, plans, controls, processes, standards, policies and procedures are aligned with IS standards and overall IS and cyber security. Identifies security risks and exposures, determines the causes of security violations and suggests procedures to halt future incidents and improve security. Develops techniques and procedures for conducting IS and cyber security risk assessments and compliance audits; evaluation and testing of hardware, firmware and software for possible impact on system security; and the investigation and resolution of security incidents. Implements IS and cyber security policies and takes measures against intrusion, frauds, attacks or leaks

Job Function – Information Risk Management

Design information systems security infrastructure. Develop policies and procedures to prevent unauthorized access. Educate and communicate security requirements and procedures to users and new employees. Ensure compliance with regulations and privacy laws. May oversee internal or external systems security (i.e., cloud services). Needs may include performance in the capacity of analyst, auditor or consultant.

• Develop and Communicate Policy and Standards – Advises internal business and IT stakeholders on information security requirements, policies and standards. Assists in promoting awareness of security issues among management and employees. Explains the purpose of and provides advice and guidance on the application and operation of physical, procedural and technical security controls. Contributes to the development and update of information security policies and processes

• Risk Assessment – Performs security risk, vulnerability assessments and business impact analysis for medium complexity information systems. Identifies observed or emerging security exposures that create potential threats to infrastructure, systems or data. Prepares reports of findings.
• Tracking and Reporting – Monitors and follows up to ensure that appropriate mitigation and remediation actions have been taken on risk-assessment findings. Gathers and creates information security metrics reports for management using appropriate visualization techniques.
• Vendor Risk Management – Conducts technical and policy-based information security risk reviews of third-party vendors. Reviews RFPs to ensure information security requirements are fully and correctly stated

• Requires a bachelor’s degree in computer science, information systems or other related field or equivalent experience preferred.

• Typically, five or more years in related field.

• Develop and Communicate Policy and Standards – Advises internal business and IT stakeholders on information security requirements, policies and standards. Promotes awareness of security issues among management and employees. Provides information to management regarding the negative impact of the business caused by noncompliance with security standards and requirements. Contributes to other risk, security and privacy initiatives across the company by providing information risk management expertise. Contributes to the development and update of information security policies and processes.
• Risk Assessment – Obtains and acts on vulnerability information and conducts security risk assessments, business impact analysis and accreditation on complex information systems. Identifies analyzes, investigates and reports information system threats. Provides advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. Provides expert advice and direction to colleagues.

• Tracking and Reporting – Monitors and follows up to ensure that appropriate mitigation and remediation actions have been taken on risk– assessment findings. Gathers, creates and presents information security metrics to middle, senior and executive management levels using appropriate visualization techniques.
• Vendor Risk Management – Leads or conducts technical and policy-based information security risk reviews of significant or key third-party vendors. Reviews RFPs to ensure information security requirements are fully and correctly stated.

• Requires a bachelor’s degree in computer science, information systems or other related field or equivalent experience preferred.
• Typically, eight or more years in related field.

• Intermediate / Advanced knowledge of information system risk management principles and best practices.
• Intermediate / Advanced knowledge of Windows, UNIX and network administration
• Intermediate / Advanced knowledge of security code review best practices
• Intermediate / Advanced knowledge of hardening systems.

• Intermediate knowledge of network and communication systems and equipment.
• Intermediate knowledge of PC and productivity software.
• Working / Advanced knowledge of the utility industry.
• Intermediate / Advanced knowledge of relevant technology standards (e.g., ISO, ITIL, OBIT, NIST) Intermediate / Advanced knowledge of security issues, techniques and implications across all existing computer platforms.
• Intermediate / Advanced knowledge of hardware and software products that enhance the security of systems, such as intrusion prevention systems (host and network based), firewalls, security event management systems, port scanning and vulnerability identification, monitoring and logging mechanisms.

• Intermediate / Advanced knowledge of security architecture models and principles Intermediate skill in using a variety of visualization techniques to effectively present information.
• Intermediate / Advanced ability to communicate security and risk-related concepts to technical and nontechnical audiences, including all levels of management both orally and in writing.