The Information Security and Compliance Analyst is responsible for maintaining the physical and information security programs. Under the supervision of the ISO, this position manages the planning, execution, and assessment of physical and information security strategies, policies, procedures, and practices implemented by the organization. The Information Security & Compliance Analyst confirms that all physical and information assets are adequately protected against current/future internal/external threats through managing a comprehensive risk management program that includes risk & vulnerability assessments, implementing sufficient security controls, and training and awareness programs.
• Oversees the implementation and execution of the organizational Information Security program.
• Monitors compliance with federal and state regulations; reviews information security standards and frameworks from multiple sources (e.g. NIST, CIS, HIPAA etc.) and recommends appropriate policies and procedures, tasks, and checklists aimed to enhance controls and reduce overall business risk.
• Monitors the regulatory environment and advises on changes in requirements / expectations. Recommends plans to maintain regulatory compliance.
• Creates and maintains applicable physical and information security policies and procedures.
• Maintains and oversees administrative, technical, and physical and safeguards and controls.
• Assesses risk levels associated with sharing organizational data with third-party vendors and partners and applies appropriate safeguards.
• Assesses and evaluates information security risks through various risk assessments methods and provides risk response strategies as appropriate.
• Recommends and performs general and specialized physical and information security awareness training and education programs as necessary.
• Creates and maintains System Security Plans (SSP).
• Assesses and documents facility and system role-based access; enforces documented facility/systems access through periodic audits.
• Creates and maintains Plans of Action and Milestones (POA&M). Tracks progress and assess overall risk.
• Develop responses to information security audits and Request for Comments/Information (RFP/RFI).
• Oversees and maintains the information security incident response, Disaster Recovery plan, and other applicable contingency plans; organizes and conduct adequate contingency plans, incident management, and simple recovery tests periodically.
• Creates and maintains physical and information security dashboards and management reports relative to the confidentiality, integrity, and availability of systems, facilities, and workforce.
• Collaborates and coordinates with all other functional areas at Pondera to maintain up-to-date business continuity plan and ensure those plans are consistent across the enterprise.
Education and Experience
• Bachelors Degree in computer science, business, finance, information systems, mathematics or a closely related field;
• 5 years of information technology experience including information security and enterprise wide administration; OR
• Equivalent combination of education and experience.
• CISSP, CISM, CompTIA Security+, or similar.
Knowledge, Skills and Abilities
• In-depth knowledge of information security technologies, markets and vendors, including firewall, intrusion prevention/detection, proxies, risk assessment tools, cryptography, identity management systems, certificate authority, and secure web and application development.
• Strong knowledge of computer networks, directory services, virtualization and storage technologies and hardware and High Availability (HA) systems.
• Strong knowledge of HIPAA compliance and NIST standards.
• Strong knowledge of information systems industry and best practices in network, application and hardware platform security and the ability to apply them effectively.
• Strong knowledge of application security, database technologies used to store enterprise information, directory services and information systems auditing.
• Strong knowledge with security incident response practices and the ability to apply them effectively.
• Experience working with logging, monitoring, and auditing systems and the ability to design appropriate traps/triggers.
• Experience with performing and interpreting vulnerability scans and pen tests.
• Ability to quickly and effectively react to daily threats from external and internal sources.
• Ability to construct and maintain effective relationships with vendors and strategic partners.
• Very strong oral and written communication skills, including the ability to communicate professionally, effectively and persuasively both orally and in writing to business and technical users; includes the ability to effectively explain complex information and tailor presentations to a specific audience.
• Very Strong critical and analytical thinking and research skills.
• Strong organizational and collaboration skills with the ability to effectively manage multiple priorities, facilitate discussions, obtain consensus, and resolve conflicts.
• Ability to treat confidential information with appropriate discretion.