Information Security Risk Analyst

Apex Systems is seeking an Information Security Risk Analyst for a contract-to-hire position with a Maryland-based bank. If interested, please email [email protected] your resume.

Position: Information Security Risk Analyst
Location: Remote - EST hours
Hours: Regular business hours
Compensation: $115,000/yr
Job type: Full time, Contract to hire
Reporting to the Manager of the Information Security Risk team, the Information Security Risk Analyst will lead specific information security risk management related activities that protect our client and its clients while complying with applicable regulations and SSB policies. The Information Security Risk Analyst provides subject matter expertise and leadership to improve the organization's security policies and security risk management processes by establishing a framework of controls so that the Bank can manage risk, meet regulatory complianceand maintain governance over all aspects of IT. The Information Security Risk Analyst will have responsibilities to ensure that SSB identifies risks and remediates them in a timely manner while reporting the current level of exposure to known threats. The role includes implementation and maintenance of policies, as well as training and awareness plus vendor risk management responsibilities. The position requires experience of information security risk management in a regulated environment. This role will work closely with second-line and third-line risk leaders.
MAJOR JOB ACCOUNTABILITIES:

• Perform security risk analysis with the goal of identifying risk and elevating the company's security posture.
• Serve as a subject matter expert and trusted advisor as part of establishing relationships to support risk-based decision making across business, IT and the broader stakeholder community at the Bank.
• Contribute to Information Security reports for Technology Risk Committee and Operational Risk Committee as necessary.
• Lead efforts to track and remediate risk when those risks are determined to have a threat to the Bank's safety, soundness, or reputation. Track risks and issues and ensure their on schedule remediation in alignment with the ERM issues management process.
• Establish and maintain processes for managing security-related audits, control assessments, compliance checks and external assessments across Business, IT and Information Security. Ensure timely and complete responses to evidence requests and compile management responses and remediation plans as needed.
• Emphasize the application of privacy, security, business resiliency and compliance frameworks including but not limited to, FFIEC (Federal Financial Institutions Examination Council), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Service Organization Controls (SOC) 2, PCI-DSS, and ITIL V3/4 processes.
• Evaluate risk and controls by executing targeted testing of first line operated control processes.
• Develop and publish policy, standards and procedures for implementation based on the Bank's risk appetite, industry best practice guidance and based on a detailed knowledge of the regulatory and stakeholder requirements.
• Collaborate with the Enterprise Risk Management team to design and maintain a risk and controls matrix mapped to applicable regulatory and selected framework controls and in alignment with the agreed risk appetite. In addition facilitate a Risk and Control Self-Assessment (RCSA) across IT and Information Security.
• Participate in the vendor risk assessment process and provide security risk assessment services and contract reviews to ensure that third parties meet the Bank's information security control requirements.
• Support the SSB cyber training and awareness program, Cyber Tabletop exercises, Red Team Exercises, ensure all findings are addressed timely via the risk issue management process
• Contribute to and validate metrics used in assessment of security program success and report them regularly to security and business leadership.

KNOWLEDGE, SKILLS, AND ABILITIES:

• Minimum of 4-6 years' experience in one or more information security roles, including security risk analysis and control design, compliance and risk management, security control process assurance or audit of technology controls
• Bachelor's degree in Information Security, Computer Science, Management of Information Systems, or related field required. Master's degree in a related field is an advantage.
• Demonstrated deep background (preferred 4+ years) in risk treatment, controls selection and information security controls process design.
• Direct hands-on experience with information security policies, standards, and industry leading practices is essential.
• Demonstrated experience working directly with internal audit and regulator teams to satisfy audit requests, present evidence and provide management responses to findings that are identified during the audit or assessment.
• Demonstrated experience with security processes and technology solutions that align with controls for FFIEC, SOX Section 404, ISO 27001/2, Center for Internet Security (CIS) Critical Security Controls (CSC), or National Institute of Standards and Technology (NIST) 800-53 guidelines is preferred.
• Professional security risk management certification is required, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials.
• Track record of delivering security governance, risk and compliance projects under tight deadlines.
• Capable of working with diverse teams and promoting a positive enterprise-wide security culture.
• Demonstrated project management, multitasking and organizational skills.
• Detail-oriented, with excellent written and verbal communication skills, interpersonal and collaborative skills
• Self-driven and able to work in an agile team within a large enterprise organization, as well as independently.
• High level of personal integrity, high degree of initiative, dependability and ability to work with limited supervision.

EEO Employer

Apex Systems is an equal opportunity employer. We do not discriminate or allow discrimination on the basis of race, color, religion, creed, sex (including pregnancy, childbirth, breastfeeding, or related medical conditions), age, sexual orientation, gender identity, national origin, ancestry, citizenship, genetic information, registered domestic partner status, marital status, disability, status as a crime victim, protected veteran status, political affiliation, union membership, or any other characteristic protected by law. Apex will consider qualified applicants with criminal histories in a manner consistent with the requirements of applicable law. If you have visited our website in search of information on employment opportunities or to apply for a position, and you require an accommodation in using our website for a search or application, please contact our Employee Services Department at [email protected] or 844-463-6178 .

Apex Systems is a world-class IT services company that serves thousands of clients across the globe. When you join Apex, you become part of a team that values innovation, collaboration, and continuous learning. We offer quality career resources, training, certifications, development opportunities, and a comprehensive benefits package. Our commitment to excellence is reflected in many awards, including ClearlyRated's Best of Staffing® in Talent Satisfaction in the United States and Great Place to Work® in the United Kingdom and Mexico.