Sr Information Security Compliance Analyst

Under the general direction of the Manager, responsible for ensuring information security compliance with industry and company standards and objectives. Provides technical expertise on the design, development and implementation of security controls within the ISO. Assesses security risks related to vendors, new technology and new products. Partners with subject matter experts (SMEs) in evaluating and improving internal controls. Conducts compliance assessments for NERC CIP standards and ISO information security requirements.

What You Will Be Doing:

• Performs business and technical analyses of medium to high complexity that may impact the company’s information security and compliance programs and regulatory requirements, such as NERC CIP standards. Reviews issues reported to the Information Security Compliance team and performs overall analysis of compliance including interviewing of staff, research, root cause analysis and proposing mitigation strategies.
• Designs and executes internal control tests to identify control gaps and areas for improvement. Ensures alignment with NERC CIP and ISO information security policies and standards. Designs and supports the implementation of controls and aligns controls to standards. Collaborates with control owners and SMEs to mitigate information security and compliance risk identified during the internal controls testing and provides estimated completion dates.
• Partners with the team lead to conduct information security risk assessments. Performs analysis of historical and current environments to aid with risk planning for information security. Reviews and contributes to the security risks for business application development project plans, and participates in related benchmarking and gap analyses. Participates in information security vendor assessments to mitigate compliance risk.
• Provides guidance to SMEs and technical teams in conducting compliance assessments of new and existing systems. Provides technical expertise to projects that involve secure information security architectures, electronic data traffic network security, platform and data security and privacy. Collaborates with information security operations to advise on risk assessments for enterprise computing platforms and provides recommendations for new information technology applications under consideration.
• Supports, champions, and provides training and education on the Security Awareness Program throughout the company. Prepares and administers training plans for staff to ensure compliance with company standards and objectives. Assists with information security policy and procedure activities as needed. May mentor junior staff.

Requirements

Level of Education and Discipline:

A Bachelor's degree (BA, BS) or equivalent education, training or experience in Computer Science, Information Technology, Management of Information Systems, or related technical field. Master Degree preferred.

Amount of Experience:

Equivalent years of education and training, plus five (5) or more years related experience.

Certifications:

CISSP, CCNA, and/or Unix Certification helpful.

Type of Experience:

Experience in IT related fields or NERC CIP compliance. Information systems and network security administration. Experience with communications protocols, methodologies and standards related to information security, access control systems, encryption and related matters. Working knowledge of application systems, network architecture, multiple platforms including Unix and Windows OS, and knowledge of up-to-date information security technologies including firewalls, real-time intrusion detection and related applications. Experience in the energy sector, or with FERC, NERC, or CIP standards. Experience reviewing and preparing compliance related requests. Understanding of energy industry security practices, such as NIST and ISO.

Additional Skills and Abilities:

Must be able to work effectively in a team environment as facilitator and team member. Excellent analytical, verbal and written communication and documentation skills required, with a demonstrated attention to detail. Ability to use deductive reasoning and analytical thinking with sound judgment and decision-making skills. Excellent interpersonal and conflict resolution skills are also essential. Must be self-starting and willing and able to work independently in a dynamic corporate organization under pressure of tight deadlines and aggressive expectations. Self-motivated, problem solving skills and the ability to influence others without direct authority.

Proven ability to effectively manage multiple projects simultaneously. Must be able to effectively present technical information to non-technical personnel.