*primary purpose*:
the information security analyst iii is a senior level position responsible for ensuring that national general policies and processes adhere to regulatory and legal compliance standards such as pci, sox, hipaa, and iso cybersecurity frameworks. The compliance analyst will work with the other members of the team to enhance business practices, internal controls and perform other review-related activities to support the execution of the department's annual assessment plan.
*essential duties and responsibilities*:
- works with security architects, security analysts, security administrators and other it and business departments to enhance/develop and review procedures and controls to meet pci compliance requirements
- supports the planning and execution of control assessments related to pci and other industry/regulatory requirements as well as common security frameworks such as nist, iso, and hitrust
- collect and document business requirements for process identification/improvement/automation efforts
- contributes to the development of process improvements
- applies knowledge of key regulations to influence assessment scope
- fieldwork/execution: with limited supervision, performs testing (including walkthroughs), takes ownership to complete clear and well-organized assessment papers that appropriately document the work performed, uses root cause analysis for problem solving and communicates potential issues timely to supervisor
- evaluates risks of key control deficiencies and effectiveness of overall control framework, and ensure management has effective and timely control remediation plans
- reporting: formulates appropriate conclusions regarding the adequacy of internal controls and procedures based on the assessment work performed and knowledge of company operation; drafts well written, clear and concise finding reports and participates in presenting the findings to the enterprise risk & compliance management
- remediation: monitors the implementation of corrective action plans with first and second lines of defense and presents updates to the findings to the enterprise information risk & compliance management
- conducts assessments of controls while documenting remediation items and working with vendors until items have reached a satisfactory level of risk
- other duties as assigned
job requirements
*minimum skills and competencies*:
- 8-10 years substantive experience as a compliance assessor or auditor with a licensed financial institution or a regulatory compliance examiner with a federal or state financial services regulator
- bachelor’s degree in computer science or computer information systems or related or equivalent experience
- 5-10 years substantive experience with pci compliance; assessing controls, collecting artifacts, completing ccws and working closely with qsas
- demonstrated knowledge of pci, hipaa, sox, iso27000 and nist cybersecurity frameworks
- demonstrated understanding of the current pci dss and how it applies to a large, complex organization accepting payment via multiple channels and technologies
- 5-10 years experience with infrastructure technologies including platforms, firewalls, routers, switches, virtualization and databases
- demonstrated detailed oriented self-starter and the ability to work independently with limited supervision and limited direction, and in collaborative team environments
- a strong ability to multi-task and manage varying priorities and projects
- excellent interpersonal, verbal, and written communication skills with the ability to communicate security risk and compliance related concepts to a broad range of technical and non-technical staff
*desired skills*:
- qsa, isa, pcip, ccna, ccnp, cia, cissp, cisa, cism, ccrisc, or cgeit certifications
- stream, archer, cyberark, fortify, qualys, rapid7, beyondtrust retina, qradar, trustwave trustkeeper, proofpoint, mcafee epo/hbss, vmware, palo alto
- knowledge of sql & oracle db’s