Information Security Analyst

Job Description:

We Deliver the Goods:

• Competitive pay and benefits, including Day 1 Health & Wellness Benefits, Employee Stock Purchase Plan, 401K Employer Matching, Education Assistance, Paid Time Off, and much more
• Growth opportunities performing essential work to support America’s food distribution system
• Safe and inclusive working environment, including culture of rewards, recognition, and respect

Position Summary:

Performance Food Group is looking for a talented Information Security Analyst to play a key role in supporting Information and Privacy Risk Management aspects of the company as a member of the Information Security Department. PFG is in the midst of establishing a Risk Management function that focuses on identifying, quantifying, communicating, and tracking risks associated with information assets. Reporting to the Manager of Information Security Risk Management and working with IT and line of business stakeholders, the analyst will have a heavy focus on compliance with internal/external policies/statutes, IT Risk Management, and Third Party Risk.

Position Responsibilities:

• Conduct risk assessments and maintain risk register.
• Perform assessments of IT controls processes, and systems, identifying gaps and opportunities to enhance design\\operational effectiveness while reducing the cost of compliance.
• Conduct periodic readouts and risk reviews with IT teams and segment/line of business stakeholders to convey risk and influence decision making.
• Assist in maintaining security exception lifecycle, including qualifying associated risk, determining compensating controls, communicating with IT and LOB stakeholders.
• Maintain Business Impact Analysis. Work with IT and LOB teams to maintain Business Impact Analysis, establishing risk categorizations for applications and infrastructure based on mission criticality and sensitivity of hosted data.
• Assist in development and implementation of Enterprise Crown Jewels program. Work with IT, LOB teams, and security control owners to define and govern control parameters for critical applications and technologies.
• KPI/KRI Development and Reporting. Assist in development of control-based Key Risk Indicators and Key Performance Indicators across business segments. Assist in developing associated governance model and metric tiers for consumption by various levels of stakeholders, up to and including the Board of Directors.
• Support IT Risk and exception management governance forums across business segments with varying operational models and business context.
• Support PFG’s Third Party Risk Management Program, assessing third parties for inherent and residual risk based on the nature of their services and their ability to appropriately secure PFG data and provide dependent services.
• Negotiate the inclusion of security requirements into third party contract agreements.
• Develop and Maintain IT Audit and Control documentation.
• Support necessary governance forums (committees, working groups) to ensure sound decision-making and stakeholder communications.
• Identify and report on non-compliance with regulatory mandates (i.e. Sarbanes Oxley section 404 PCI DSS, HIPAA, GDPR, CCPA).
• Support operational audits as necessary.
• Performs other related duties as assigned.

Qualification:

Required Education: Bachelors

Required Experience: 6months - 1 year

• Experience in developing, communicating, and presenting security or risk concepts to varying audiences

• Knowledge of regulatory requirements and frameworks

• Strong teamwork and interpersonal skills

• Experience in assisting with process improvement initiatives

• Hold relevant security certifications or willingness to pursue additional certifications

• Continuous learning mindset

• Experience performing IT and security risk assessments, using both qualitative and quantitative methods to identify, quantify, and communicate risk

• Working knowledge of privacy statutes including the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)

• Experience with Data Classification, Data Security, and Data Loss Prevention methods and tools, especially Microsoft Azure Information Protection

• Strong MS Office skills (specifically PowerPoint, Word, Excel, Project, Visio)

• Strong process analysis and engineering skills

• Experience conducting and documenting business impact analysis, designing and implementing Business Continuity/Disaster Recovery plans

• Experience with IT assurance mandates/frameworks such as Sarbanes-Oxley, CobIT

• Demonstrated leadership skills

• Demonstrated high level of analytical and problem-solving skills

• Excellent written and verbal communication skills

• Ability to influence cross functional and highly matrixes business and IT stakeholders

Company description

Performance Food Group is a customer-centric foodservice distribution leader headquartered in Richmond, Va. Grounded by roots that date back to a grocery peddler in 1885, PFG has a nationwide network of approximately 150 distribution centers, 35,000-plus talented associates, and thousands of valued suppliers across the country. With the goal of helping customers thrive, PFG markets and delivers quality food and related products to independent and chain restaurants, schools, business and industry locations, convenience operations, healthcare facilities, vending distributors, office coffee service distributors, big box retailers, and theaters across the U.S.

Awards and Accolades

Performance Food Group and/or its subsidiaries (individually or collectively, the "Company") provides equal employment opportunity (EEO) to all applicants and employees, regardless of race, color, national origin, sex, marital status, pregnancy, sexual orientation, gender identity, religion, age, disability, genetic information, veteran status, and any other characteristic protected by applicable local, state and federal laws and regulations. Please click on the following links to review: (1) our EEO Policy; (2) the "EEO is the Law" poster and supplement; and (3) the Pay Transparency Policy Statement.