Information Security Analyst (GRC)

Our Favorite CITGO Perks are:

• Remote Work options available for eligible positions • Options are department and/or location specific • 9/80 Work Schedule Option (where applicable) • Annual Vacation Incentive (40-120 hours of additional pay) for Eligible Employees • Paid Vacation Time • Company-Paid Holidays • Parental Leave • Excellent 401(k) Match • Pension Plan • Company-Paid Sick Leave and Long-Term Disability • Medical, Dental, & Vision Plans; FSA and HSA options • Company-Paid Life Insurance for Active Employees • Healthy Rewards Program • Service Awards Program • Educational Assistance Plan • Dependent Children Scholarships • Reimbursement for Gym Membership • Employee Discount Programs • On-site Health Clinic • On-site Cafeteria (select locations) • On-site Credit Union and ATM (Corporate office only) • On-site Fitness Center (select locations) PLEASE NOTE ALL JOBS DO NOT QUALIFY FOR ALL PERKS

Relocation

Relocation Benefits are not available for this position.

Note

Employer will not sponsor visas for position

Job Summary

We are seeking an Information Security Analyst to join our organization. The primary responsibility of this role is to actively contribute to cybersecurity risk management initiatives. This involves identifying, assessing, and mitigating potential risks to our organization's information assets. Other key responsibilities in cybersecurity risk management include enhancing our employees' understanding of information security principles and practices. This position plays a crucial role in mitigating security risks by ensuring that employees are well-informed and adhere to best security practices. This role is also pivotal in ensuring the proper classification and secure handling of sensitive data, safeguarding it from unauthorized access or exposure. The analyst will be responsible for enhancing our data security procedures, training employees, and ensuring compliance with data protection regulations and industry best practices.

Minimum Qualifications

Degree / The minimum number of years of job related experience required is:

• High School Diploma. Required.
• Bachelor's Degree in Information Security, Computer Science, or a related field. Preferred.
• Bachelor's Degree with 8 years of experience OR 12 years of experience in lieu of a degree.

List any specialized training or unique skills required:

• Professional certifications such as Certified in Risk and Information Systems Control (CRISC), Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) is a plus.
• A solid understanding of information security principles, best practices, and current threats.
• In-depth knowledge of application security principles, best practices, and common vulnerabilities.
• Experience and working knowledge of security-related technology (e.g Identity Management tools, MFA, etc.)
• Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
• Strong communication and presentation, analytical and problem-solving skills.
• Highly motivated self-starter who can self-prioritize to ensure optimum & timely results
• Attention to detail and a commitment to maintaining up-to-date knowledge of the field.

Job Duties

1. Application Risk Management:

• Assist the Risk Management team to conduct comprehensive risk assessments of applications, software systems, and their components to identify vulnerabilities and potential security threats as well as risks on access control and identity management platforms.
• Collaborate with IT leaders, SMEs, and development teams to recommend and prioritize application security measures and controls to track, mitigate, and remediate identified risks.
• Evaluate security controls, architecture, and data flows to assess the application's overall security posture.
• Keep up-to-date with emerging threats and vulnerabilities to maintain the security of applications and assist in the design and implementation of security improvements.
• Ensure that applications adhere to industry best practices, security standards, and regulatory requirements (e.g., OWASP Top Ten, NIST, ISO 27001).

2. Data Security:

• Develop, implement, and maintain a comprehensive data classification framework to categorize data based on its sensitivity and importance.
• Assist the Information Security governance team to develop data classification policies, standards, and guidelines. Develop and maintain data handling guidelines that define the appropriate security controls, access restrictions, encryption, and retention policies for each data classification level.
• Collaborate with various departments to assess the sensitivity of data stored, processed, or transmitted within the organization.
• Assign appropriate data classifications to ensure protection in line with business requirements and regulatory mandates.
• Regularly monitor data access and usage to ensure compliance with data classification policies.
• Enforce data handling guidelines and investigate and report any violations or incidents.
• Ensure that data handling practices comply with data protection regulations (e.g., GDPR, HIPAA) and industry standards (e.g., NIST, ISO 27001).
• Keep up-to-date with changes in data protection laws and assess their impact on data classification and handling practices.

3. Security Awareness Program:

• Enhance, maintain, and monitor an effective security awareness program that aligns with organizational goals and industry best practices.
• Regularly review and update corporate Information Security page(s) and security awareness materials to ensure they remain current and relevant.
• Collaborate with subject matter experts to incorporate the latest security trends and threats into training content including Ensuring that employees are aware of and adhere to information security policies and procedures.
• Collaborate with business departments to integrate security awareness into their processes and policies.

4. Information Security:

 

• Collaborate with the incident response team to provide guidance and support during data security incidents, breaches, or data leaks.
• Continuously oversee adherence to policies and ensure accurate audit logs that align with the organization's requirements.
• Support, monitor, and audit the development of the mitigation of application security vulnerabilities, including penetration assessments, in accordance with compliance of organizational standards.
• Identify issues and root causes and provide oversight and facilitation of remediation plans, including security concepts, controls, and awareness & training aligned with CITGO Policy, Standards & Specifications