Job Description

Position Summary:

This position together with the Director Security Governance & Awareness, will continuingly review, refine, and recommend improvements to the Information Security operating model, enterprise policies, standards, and processes all in order to providing reporting and recommendations to the CIO, CISO, and senior leadership to reduce the risk to the enterprise.

Job Responsibilities:     

Develop, maintain, evaluate and implement policies and procedures in line with both business requirements and national and international legislative changes, (i.e. 27001/27002, COBIT 5, NIST CSF, GDPR).
Collaborate with subject matter experts to write policies and standards in line with the ADM Control Framework. 
Lead control assessment activities addressing technical and functional security and regulatory requirements. Engage appropriate business units and personnel to plan and execute the Technical Control Governance program. Document gaps and system vulnerabilities; drive risk identification and intake.
Analyze, implement, review and update of security policies, standards, and controls. Collaborate with leadership to develop and implement security policies and standards, considering impact to the enterprise. Collaborate with subject matter experts to address new requirements and emerging business needs in a secure manner.
Participate in the development and implementation of security awareness program training, materials, and events. Develop and deliver content to educate the business about the Technical Control Framework and other organizational programs.
Compile, review, and analyze security information to formulate recommendations, metrics, and reports for management review and decision making.
Lead implementation (Control Design and Implementation) of ADM Control Framework, including tracking and reporting progress, security control gaps (compared to ADM framework which consists of NIST-CSF and ISO 27001 / ISO 27002), and metrics.
Proactively collect appropriate and meaningful metrics to be reported in order for the business leaders to make appropriate risk based decisions.
Monitor compliance with security policies and standards across the organization utilizing reporting and metrics.  Drive compliance improvement to processes.
Document and track requests for variance from standards. Monitor risk mitigation processes and progress with the clients until variances are closed.
Actively stay aware of processes and methods for addressing and/or acknowledging non-compliance to information security standards and communicate the findings clearly to business areas.
Collaborate with key business units and capability stakeholders, including, but not limited to, Privacy, IT, Internal Audit, InfoSec, Corporate Security, and HR to develop and improve Information Governance to the enterprise.
Establish security metric baselines and generates reports reflecting current performance against those baselines using Power BI.
Document narrative summary and analysis of the metrics; what do the numbers mean, what changes in the technology or security environment may have impacted the numbers, and what can be changed to correct any deficiencies.
Review, track and update company standards for compliance to legal and regulatory requirements. Work with subject matter experts to maintain documentation; modifies or creates new security standards as needed.
Monitor compliance with security policies and standards across the organization utilizing reporting and metrics.  Drive compliance improvement to processes.
Document and track requests for variance from standards. Monitor risk mitigation processes and progress with the clients until variances are closed.
Actively stay aware of processes and methods for addressing and/or acknowledging non-compliance to information security standards and communicate the findings clearly to business areas.

Job Requirements:

BA/BS degree or equivalent experience.
Minimum of 3-5 years of experience in security or IT/OT.
Basic knowledge and understanding of how information security affects an organization and ability to link it to business processes.
Basic knowledge and understanding of risk assessment and control methods.
Basic knowledge and understanding of end-user computing tools, hardware, application software, network, communications and mobile technologies.
Basic knowledge and understanding of information security policies, standards and processes.
2-3 years of regulatory requirements and frameworks such as ISO 27001, ISO 27002, PCI, CIS, SOX, HIPPA, ISO, NIST, COBIT,GDPR or NIST Cyber Security Framework (CSF).
SANS 401 (can be obtained after employment).
2-3 years of experience in a GRC discipline. One year of work in a Governance, Risk, Compliance (GRC) function in a highly regulated environment, may substitute for up to 18 months experience.
Proven success implementing security policies, standards, and/or controls.
Ability to translate strategy into actionable plans impact organizational change.
Ability to work across the organization, building relationships and influencing peers and management through establishing trust and credibility.
Experience in one or more of the following areas preferred: network administration, systems administration, SDLC/secure soft, encryption, asset management, identity and access management, Audit, Governance Risk & Compliance, IT Operations, Security Risk Management.
Ability to drive discussions and influence decision making; strong presentation and reporting skills. Proficient in technical writing and leveraging various creative mechanisms to communicate to diverse audiences. 
Ability to communicate with and create documentation for technical and non-technical audiences.

Desired Skills:  

Practical experience implementing NIST, ISO, or other industry standards Certification such as CISM, CISSP, CISA, CRISC, CISSP.
Experience using a GRC tool (i.e. Archer, Lock path).
Experience using a Policy workflow software such as Policy Tech.
Strong Understanding of vulnerability management.
Understanding of security technologies such as firewalls, IDS, IPS, encryption, IDAM, SIEM, etc.
Understanding and knowledge of Sarbanes-Oxley, GDPR (General Data Protection Regulation) and IT General Controls. Knowledge of third party auditing, such as cloud, and risk assessment methodologies.