Senior Information Security Risk and Compliance Analyst

Date posted:

Department:

Information Technology

Location:

Long Island City (HQ) - Queens, NY

Description:

This position will monitor and maintain awareness of state, federal and organizational security regulations/policies by working with internal stakeholders to identify and resolve areas of non-compliance. In addition, the incumbent is expected to stay up-to-date on the latest intelligence, including hackers’ methodologies, in order to anticipate potential security threats and take appropriate pro-active measures.

Accountabilities:

• Assists in ensuring that UNFCU is in compliance with all applicable legislative and regulatory requirements in the areas of information security.
• Assists with development and maintenance of an enterprise-wide Information Security program including security policies and procedures.
• Provides continuous monitoring of compliance with information security policies and procedures within the organization and provide recommendations to management on controls and remediation efforts.
• Coordinates with UNFCU business units during vendor/service provider selection and review process from information security perspective.
• Assists in the assessment and review of new and existing technology infrastructure to ensure adequate levels of control are in place to address identified risks and develops risk mitigation techniques that are actionable.
• Participates in system testing activities and recommendations, including vendor products and services.
• Performs annual risk assessments of UNFCU systems and applications and suggests remediation.
• Serves as the focal point for all information security related audits/ examinations, including Payment Card Industry (PCI) Data Security Standards, and ensures that all audit issues are addressed timely and appropriately.
• Provides Security Awareness Training to new hires and others, on an as needed basis and helps in developing/updating the contents of security awareness program.
• Manage administration of annual Least User Access Privileges review.
• Interface with Information Technology (IT) staff and end-users regarding the development of security specifications and end-user security awareness. Consistently seeks to identify and implement solutions, which result in increased security and security awareness for the entire organization.
• Coordinates multiple projects concurrently and influence the decision making process.
• Ensures that contracts, agreements, including service level agreements (SLAs) with all InfoSec vendors for the products and services provided by them, are current and up-to-date in all aspects. Performs vendor/product risk assessment of InfoSec products and services in the vendor management system at the required intervals and keeps such risk assessment current and up-to-date.
• Monitors and evaluates new security vulnerability threats/alerts; fully understands, supports, documents, communicates, and improves the service in terms of IT security and change management.
• Provides continuous monitoring of all security systems and solutions and provides exception reports, as well as recommendations to management on controls and remediation efforts. This involves daily review of all security systems, reports, logs, and taking appropriate remediation measures, including escalation wherever considered necessary.
• Identifies regulatory changes that could affect information security policy, standards and procedures, and recommends appropriate changes. Maintains an awareness of existing and proposed security standard setting groups, State and Federal legislation and regulations and how they could affect the organization.
• Participates in the design and execution of vulnerability assessments, penetration tests and security audits. Performs vulnerability scans and penetration tests in accordance with organizational policies/procedures and regulatory requirements.
• Implements and maintains all components of information security requirements for UNFCU Disaster Recovery and Business Continuity plans.
• Researches and monitors cyber security issues and intelligence and initiates proactive action.
• Performs such other tasks assigned by Management.

Qualifications:

• Bachelor’s degree in Computer Science, Information Technology, or Engineering in a related field
• Minimum 8-10 years of experience in relevant field at various levels is required
• Experience in IT Audit (General Computer Controls and Application Security including cloud based applications), and review of Service Organization Control reports is required
• Knowledge of NCUA Part 748, FFIEC guidelines, NIST security standards, and PCI DSS required
• Experience in Credit Union or other financial institutions helpful
• CISA certification is required. Other security certifications such as CISSP, CISM, etc. are plus
• Must be familiar with standard concepts, practices, and procedures within the Information Security field and a strong understanding of applicable business systems, industry trends and an understanding of a layered security approach
• Knowledge and familiarity with the security of one or more of the following systems will be a big plus – Web Proxy/ URL filtering, Web Application Firewall, Network Access Control, Intrusion Prevention System, Computer/ Network Forensics, Incident Response analysis and handling, Advance Persistent Threats, Vulnerability Assessment and Management, Encryption and Decryption, Virtual Private Network (VPN)
• Excellent interpersonal skills and highly detail oriented
• Professional communication skills, both verbal and written
• Ability to manage relationships at all levels throughout the organization
• Able to multi-task in a fast paced environment
• Professional appearance and a willingness to work flexible hours