The Lead, Analyst InfoSec CntrlsProg will be an expert in Framework implementation, risk management, security control interpretation, control assessments, standards, and enterprise Governance, Risk and Compliance (GRC) tool operations (i.e. RSA Archer). The Lead will understand how NFCU standards apply to the Framework controls, and be able to interpret and articulate both while working with customers. Standards will be kept up to date annually and expanded as needed. Documentation will be kept in detail as to the lifecycle of the standards. The Lead will be using the GRC tool daily, and assisting customers (including Information Security Officers and Business Unit management) with understanding reports and customized dashboards.
Analyzes and evaluates existing information security programs and procedures to protect corporate information systems assets from intentional or inadvertent modification, disclosure, or destruction. • Understand and execute the NIST Cyber Security Framework (CSF), risk management, and applied security controls from NIST SP 800-53, PCI DSS, ISO 27002, and other control standards as assigned. • Conduct comprehensive security control assessments according to NIST SP 800-53A Appendix F (examine, interview, test) of systems and assets. • Analyze, articulate and write control assessment results, from manual and automated methods, in addition to the operational and residual risk of the asset/system. Communicate often results with the customer in order to facilitate remediation as quickly as possible. Results are written in the enterprise GRC tool. • Document issues as findings within the GRC tool; track remediation plans with business units; track, report on, and understand existing security exceptions for assigned systems or assets; • Run recurring compliance (findings) reports as needed from the GRC tool that are accurate, timely, and in a format presentable for executives and business unit customers. • Offer expertise, written and oral, with excellent customer service, in interpretation of security controls, risk and overall results to business units and leadership as needed. • Write guidelines for customers pertaining to the enterprise framework, control assessments, remediation plans, and other topics as directed; Work with the communications team in refining products to make appropriate for intranet consumption. • Write and update standards as directed, identifying and communicating gaps and changes as needed. Understand their mapping to specific security controls within the GRC tool. Interpret, explain and educate the standards to customers as needed.
Performs risk assessments of business processes, systems and applications • Analyzes and evaluates the design and operating effectiveness of Information technology and security controls that are in place • Evaluates current business practices against regulatory and industry benchmarks
Performs assessments of new and existing vendors’ IT environments in protecting Navy Federal information assets from data compromise and/or identity theft. • Communicates with internal Navy Federal personnel to understand the services and/or products being provided by the vendor • Evaluates the security controls the vendors have in place • Assesses a residual risk rating for the vendor based upon their control environment • Communicates with vendor personnel throughout the review process • Communicates status of reviews to Information Security management and internal business stakeholders
Assists with the education of staff on the requirements of information security and the efforts to improve information security awareness.
Performs other related duties as assigned.
QUALIFICATIONS -- KNOWLEDGE, SKILLS AND ABILITIES:
Target: • Bachelor’s Degree in a related field or the equivalent combination of training, education, and experience • Extensive experience in computer and information security assessment, administration, and management (5+ years) • Extensive experience in the evaluation and assessment of security risks and controls in place around business processes, systems and applications. (3+ years) • Extensive experience in the evaluation and assessment of security risks and controls in place at third party suppliers that access, process or store confidential data. (3+ years) • Comprehensive knowledge and understanding of best practices, trends related to information security • Comprehensive knowledge of information security regulations and legislations • Formal project management experience which includes organization skills, managing strategy, project communications (internal and external to team), and planning and directing the work of participants • Strong research, analytical, and problem solving skills • Highly developed communication skills including preparing and presenting results, findings, recommendations and influencing management decision making based on the best available data • Excellent writing skills with experience drafting Executive-level documents • Knowledge of NCUA and FFIEC regulations, GLBA, NIST and other information security requirements and frameworks
Desired: • Advanced college degree in information security, cyber security, information technology, etc. • Experience with security systems, assessment tools, and technical security • Professional certification (CISSP, CISA, CRISC) or a reasonable expectation to obtain the certification