The primary responsibilities of the Information Security Specialist will be to lead and support various Governance, Risk, and Compliance (GRC) activities within our organization. While a strong technical background and understanding of IT and cybersecurity are essential, the focus of this position is on GRC tasks, like risk assessments, vendor management, IT audits, incident response, and disaster recovery while fulling secondary technical duties to help support the Information Security team.
Job Duties
Primary Responsibilities:
- Risk Assessments: Conduct comprehensive risk assessments to identify vulnerabilities and threats to the organization's information systems. Collaborate with the technical teams to implement mitigation strategies.
- Vendor Management: Oversee and assess the security posture of third-party vendors and service providers, ensuring they meet our security standards and compliance requirements.
- IT Audits: Plan, coordinate, and execute regular internal and external IT audits, evaluating the effectiveness of security controls and ensuring compliance with Bank policies and industry regulations, standards, and best-practices.
- Incident Response: Maintain an incident response plan, assist in oversight of annual plan testing, participate in incident response efforts, and conduct post-incident reviews to improve response processes.
- Disaster Recovery: Assist in organizing and oversight of disaster recovery and business continuity testing exercises, ensuring that critical systems can be restored in case of an outage.
- Compliance: Stay current with relevant laws, regulations, and industry standards, and ensure the organization's IT practices and policies align with these requirements.
Secondary Responsibilities:
- Vulnerability Management: Oversee the vulnerability management program, including vulnerability scanning, patch management, and remediation efforts to secure our systems.
- Security Event Monitoring: Monitor security events using SIEM (Security Information and Event Management) and other security alerting tools. Respond to security alerts promptly and effectively.
- Security Tool Implementation & Integration: Evaluate, select, implement, and integrate security tools and technologies to enhance our security posture. Monitor and maintain these tools to ensure their effectiveness.
- Security Awareness Training: Provide technical security training and awareness programs to educate employees about technical security best practices and the importance of compliance.
- Technical Policy and Procedure Development: Contribute to the development and maintenance of technical security policies, procedures, and guidelines, and assist in their communication and enforcement.
- Documentation: Maintain accurate and up-to-date records of security assessments, compliance reports, incident response activities, and security alert responses.
Qualifications & Skills:
- Ability to identify creative solutions to complex problems in low-resource situations.
- Proficiency in security tools and technologies, including SIEM.
- Experience in conducting risk assessments and audits.
- Familiarity with security scripting and automation.
- Strong communication and interpersonal skills.
- Excellent technical and problem-solving skills.
- Strong understanding of IT systems, network security, and cybersecurity best practices.
Education, Experience & Licenses:
- Bachelor's degree in Information Security, Computer Science, or a related field, or equivalent experience
- Five years or more of previous information security or cybersecurity experience
- Relevant certifications, such as CISSP, CEH, or CompTIA Security , preferred.
- Knowledge of relevant regulations and standards (e.g., GLBA, GDPR, HIPAA, ISO 27001).
Experience
Preferred
-
5 year(s): Five years or more of previous information security or cybersecurity experience
Education
Preferred
-
Bachelors or better in Computer Science or related field
Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities
The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)