Summary
The Information Security Risk Lead is responsible for the oversight and execution of the company’s Information Security function, as it relates to the design, development, implementation, and monitoring of the Information Security Risk Management program. Additionally, this role will lead the maturation and evolution of the risk management tools and methods, as well as ensuring comprehensive reporting of all security risks. The Information Security Risk Lead will work across the security team to promote awareness of the risk management program and desired risk culture. The position requires a diverse background to understand a variety of systems, including new technologies and legacy systems considered business critical.
Essential Functions
Lead the execution and maturation of the information security risk management program
Perform targeted risk assessments to identify and report on strengths and weaknesses in the program as they relate to privacy, security, business resiliency and compliance frameworks
Manage and oversee the implementation and maintenance of an Enterprise GRC tool
Work effectively with leads across the Information Security team to assist with identifying, measuring, and planning remedial action plans for information security risks
Document and maintain workflows and design documents and procedures to identify gaps in risk posture and risk acceptability based on controls
Create and present risk posture and recommendations to Information Security leadership
Perform ad-hoc assessments, analysis, and reports as needed to support the team’s needs
Additional Responsibilities
Foster and maintain good relationships with business partners and colleagues to meet expected service levels.
Research and recommend new tools and technologies to gain efficiencies and enable functionalities.
Deliver schedule milestones on-time to ensure project/program objectives are met.
Performs other duties as assigned.
Skills and Abilities
Track record of acting with integrity, taking pride in work, seeking to excel and being curious and flexible.
Strong written and oral communication skills across varying levels of the organization.
Understanding of service design, delivery concepts and control frameworks.
Organized, with the ability to prioritize and complete tasks within defined SLAs.
Excellent judgment and the ability to make quick decisions when working with complex situations.
High degree of integrity, trustworthiness and confidence; represents the company and its management team with the highest level of professionalism
Qualifications
Bachelor's degree required Information Security, Information Technology, Management Information Systems
Master's degree preferred Information Security, Information Technology, Management Information Systems
Seven (7) years or more Experience with technology risks and controls and deploying information governance, information technology risk management, compliance, information security, or privacy programs required
Seven (7) years or more Experience with cyber security and information security program management and frameworks (e.g. NIST CSF, ISO/IEC 27000, etc.) required
Exposure to and familiarity with relevant standards such as ISO/IEC 27000 family - Information Security Management Systems, NIST Cybersecurity Framework, NIST 800, and applicable laws related to regulatory compliance, information security and privacy (e.g. SOX, HIPAA, GDPR, PCI-DSS) intermediate required
Knowledge of information security risk management and IT controls frameworks and methodologies (e.g. ISO/IEC 27005, COBIT, OCTAVE) intermediate required
Knowledge of Risk Management Principles (risk avoidance, transfer, mitigation, acceptance), Risk Assessment process intermediate required
Knowledge of Cloud Security - Cloud Control Matrix (CCM), Consensus Assessment Questionnaire (CAIQ) intermediate required
Knowledge of Common Controls Hub - Unified Compliance Framework (UCF) intermediate preferred
Knowledge of Standardized Information Gathering (SIG) Questionnaire intermediate preferred
Knowledge of AICPA SOC for Service Organizations intermediate preferred
Other Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), or Certified in Risk and Information Systems Control (CRISC) or Certified Cloud Security Professional (CCSP) credentials or International Association of Privacy Professionals (IAPP)
Travel: 1-10%
For more Info.: https://hubs.la/Q02_Ft020