Job Id: NC-528907 (98690513)
Security Analyst/EGRC Admin (CISSP) with GRC software, NIST, RMF Governance, HIPAA, IRS, PII, PCI, Security Controls, Enterprise Audit, 3rd party assessment and IBM OpenPages experience
Location: Raleigh, NC 27609 (NCDIT)
Duration: 12 Months
Agency Interview Type: Either Webcam Interview or In Person
Required / Desired Skills
Enterprise level Governance, Risk, and Compliance (GRC) software platform administration experience Required 5 Years
Enterprise level NIST Risk Management Framework experience Required 5 Years
Enterprise level Risk Assessment and RMF Governance experience Required 3 Years
Experience in securing HIPAA, IRS, PII, PCI and other Federal Data types Required 3 Years
Enterprise level experience with Security Controls Implementation Required 3 Years
Experience working with Enterprise Audit and 3rd party assessment teams Required 3 Years
Enterprise level IBM OpenPages Experience Highly desired 3 Years
CISSP or equivalent certification Highly desired
This position reports to State Chief Risk Officer (SCRO) and supports the SCRO in ensuring compliance with Federal and State policies of the Department of Information Technology (DIT) State data centers. In conjunction with the Enterprise Security and Risk Management Office (ESRMO), the Specialist will perform compliance assessment of Information Technology security controls and ensure timely reporting of issues and remediation actions. The candidate will be responsible for monitoring and testing the effectiveness of NIST security controls and compliance with all applicable Federal, State and pertinent mandates, and policies. This position will also be directly responsible for the oversight of remediation actions using the State’s Governance Risk and Compliance (GRC) tool for tracking and reporting purposes. This position must stay abreast of regulatory changes and assess the impact of the changes to infrastructure and security and privacy policies.
Duties and Responsibilities:
• Identify aggregate, report and escalate compliance risks, issues and control enhancements
• Respond to internal and external inquiries for information to clarify regulatory requirements;
• Assist with development of processes to identify, quantify, analyze, and report on State Data Center Risk and Compliance status
• Update relevant policies to ensure they reflect regulatory requirements
• Implement and maintain attestation documentation sufficient to ensure compliance with Federal and State regulatory, legal, and functional related policies and procedures
• Assist in the execution of governance and management routines.
• Contribute to monitoring and testing of security controls, plans and related metrics.
• Configure, Operate and Maintain the statewide GRC tool
• Monitors risk mitigation and coordinates policy and controls to ensure that other business units are taking effective remediation steps
• Working knowledge of statistics & the ability to apply statistical techniques in evaluation designs & analysis.
• Ability to supervise projects & give instructions to technical staff & consultants as needed.
• Supports key business initiatives by identifying compliance risks and providing resolutions to manage these risks.
• Serves as a resource regarding compliance impact on matters such as agency business risks.
• Leads and reviews application security risk assessments for new or updated internal or third party applications
• Collaborate with broad group of stakeholders to ensure compliance with State and Federal policies and standards.
• Serves in an advisory role in application development and infrastructure projects to assess security requirements and controls and ensures that security controls are implemented as planned
• Participate in other Security & Compliance projects as required
Knowledge, Skills and Abilities / Competencies
• Education requirement: Bachelor’s degree
• Requires in-depth knowledge of security issues, techniques and implications across all existing computer platforms
• Candidate should have the ability to gather & analyze information, identify problems & recommend solutions & ability to interpret laws & regulations as they apply to compliance assessments & technical IT reviews.
• Thorough knowledge of NIST Risk Management Framework (RMF)
• Self-starter with minimal management supervision
• Ability to communicate effectively, both verbally and in written formats
• Demonstrated excellent analytical, problem solving, and quantitative skills; Ability to exercise discretion and demonstrate sound judgment in making decisions; Ability to apply understanding of security/controls risk vs. business impact in decision making
• Ability to work well in team environment
• Proficiency in word processing and flow charting (e.g., Visio) computer software applications; Proficiency in using advanced features of spreadsheet computer software applications
• Working knowledge of SOC 2 internal control reports and FedRAMP
• Working knowledge of ISO27000 series of standards, PCI, FTI, HIPAA, CJIS and FERPA compliance requirements
• Ability to travel as needed to successfully perform position responsibilities
• Ability to maintain confidentiality of materials handled
• Working experience with GRC tools, IBM OpenPages or RSA Archer preferred
• Minimum Education and Experience Requirements
• 4+ years of experience in IT Security, IT Audit or IT Governance Risk and Compliance;
• IT industry security certification (CISA, CISSP, CRISC or GIAC) or equivalent working experience