This is a full-time/ temp-to-hire position for a Senior Information Security Analyst (“Security Analyst”) within the Information Security team that participates in all aspects of information security.

The Security Analyst shall act as a risk manager with the responsibility for identifying, acting on and escalating risks and is held strictly accountable for the failure to discharge their information security duties. The employee shall also be responsible for demonstrating risk awareness by following all security policies, procedures and internal controls in the daily routine.

Ability to make decisions and influence decisions in the areas of risk management and compliance are key to the role. The Security Analyst will ensure that policy and compliance documentation, requirements and controls are properly and timely identified, mapped, tracked, reviewed, and reported for the organization to increase security posture.

In this role he will work closely with other members of the Security Team and IT Infrastructure Teams to manage and support security administration tasks and security projects.

Responsibilities:

•  Experience leading risk assessments, audits, policy, governance, and/or reporting, preferably in a financial institution

•  Assist with mapping controls to policies, procedures, and processes and testing of those controls to ensure adequate coverage

•  Establish and maintain security manuals

•  Work with control owners in the remediation and tracking of deficiencies.

•  Assist with increasing the maturity of the Information Security program, strategy and process.

•  Provide security services in identifying, assessing, managing, and tracking remediation of

  information security risks related to IT infrastructure, applications, platforms and suppliers and

  drive explicit requirements and timelines in all environments

•  Provide update to the CISO and/or CRO on progress of remediation efforts

•  Qualys:

  – scanning for vulnerabilities and baseline configuration compliance
  – monitoring new and existing vulnerabilities and working with IT and users to remediate – Daily, Weekly, Monthly, reporting – reviewing results of reports and presenting to IT to

  remediate issues
  – Network monitoring – Monitoring assets connected to the network scanning for assets

and reconciling with IT asset inventory
– Daily monitoring of system events for malicious activity

•  Tufin – Firewall rule review and approval

•  AlienVault – SIEM – System event monitoring and analysis with follow up if issue is detected

•  Tipping Point – IPS – Monitoring network for signs of malicious activity or exploitation

•  Trellix EPO TMS – Daily monitoring of Data Loss Prevention tools

•  Manage phishing campaigns, create email templates, perform testing, analyze results, and

  write report

•  Spirion – Create scans to monitor files containing PII and ensure they are destroyed in

  accordance with data retention policy

•  Privileged Access Management (PAM) and reporting

•  Chair weekly IT meeting to discuss vulnerabilities, patching, and alarms generated by IS tools

•  Threat Intelligence – Monitor Qualys Threat Protection Feed and CISA emails for relevant

  information to protect the network

•  Work with vendors for troubleshooting and maintenance of IS tools

  Education and Experience Requirements:

•  5 years managing information security governance, risk, and compliance

•  Bachelor’s degree in information technology or security discipline (e.g. cybersecurity) or

  related worked experience

•  Industry recognized security certifications are a plus but not required (e.g. CISSP, CISA, CISM,

  CEH, etc.)

  Skills and Knowledge:

•  Demonstrated knowledge of industry authoritative sources such as NIST Cybersecurity Framework, SOC2 and ISO standards, FFIEC framework and NYDFS-Part 500 regulations

•  Working with GRC applications and toolsets, such as RSA Archer

•  Proficient in Microsoft Office

•  Excellent written and verbal communication and presentation skills; Good command of

  spoken and written English.

•  Interpersonal and collaborative skills; and the ability to communicate information risk-related concepts to technical as well as nontechnical audiences

•  Skilled at planning, tracking plans, working cross department to review risks, controls and processes, and gathering and organizing documentation and test results

•  Self-directed, works with minimal guidance, and recognizes when guidance needed

•  Ability to cope with pressure and responsibility