Senior Security Analyst | Governance Risk and Compliance  

Provide Information Security Senior Level support and expertise in the following areas but not limited to:

Governance, Risk and Compliance (GRC), Assist the defensive team in Security Monitoring, Incident Response, Threat Hunting and Intelligence. Gather inputs from Offensive Security team (Vulnerability Management, Penetration Testing and Application Security Review) to enhance risk treatment and policies-and-standards development.

Performs risk assessment and provides recommendations cyber risk treatment strategies. Maintain and update the cyber risk register, monitor risk mitigation activities and reports risk profile of the organization. Update, review and develop information/cyber security policies, standards, guidelines, and procedures, making sure of its relevance and controls are in place for the emerging threat landscape.

Performs document review including but not limited to third party review, privacy and security assessments, contracts, scope of works ensuring compliance and controls are in place. Plans, execute and measure content protection and information security awareness campaign in alignment to policies, compliance, and regulatory requirement on the organization.

Assist in information security incident response, tracking risk mitigation and control implementation completion. Provides inputs to defensive security team to minimize incidents and gathers input from offensive security team to enhance risk mitigation and control implementation.

Perform other tasks that maybe assigned by CIS head like project management, access control management, compliance-audit review among others.

Responsibilities:

• Performs risk assessment of new (projects, engagements, major changes) and existing systems.
• Maintain and update the infosec risk register.
• Reports (and escalate if needed) the risk profile of the organization.
• Update, review and develop information/cyber/content security policies, standards, guidelines, and procedures.
• Performs document review including but not limited to third party review, privacy and security assessments, contracts, scope of works ensuring compliance and controls are in place.
• Plans, execute and measure content protection and information security awareness.
• Reports the content and infosec awareness of the organization.
• Works with other business units like Audit, Fraud Management and Technology Group to ensure policy compliance.
• Act as a point of escalation for L1 Analysts in support of content and information security governance, risk and compliance issues.
• Provide guidance and oversight on incident resolution, containment techniques, remediation, and recovery efforts.
• Review and understand data collected from GRC metrics to recommend improvement initiatives.
• Work with Content and Information Security Head to better security operations and address identified deficiencies.
• Work with content protection team to automate and institutionalize content protection and anti-piracy activities.
• Participate in evaluating, recommending, implementing controls, and troubleshooting security tools.
• Other tasks that may be assigned by the CIS Head.

• Bachelor's Degree in a relevant area of study with a preference for Information Security, Computer Science, ECE or Computer Engineering
• 5 years or more experience in Information Security
• Governance, Risk Management, Audit and Compliance Experience
• Working knowledge with different standards and best practices (Example: ISO27XX, NIST CSF, CIS Controls, OWASP, MPAA, PCI-DSS, Cloud Security Alliance)
• Working knowledge of different security architectures, standards, technologies, and concepts such as but not limited to VA/PT, SIEM, DLP for gateway and endpoints, NGFW, UTMs, IPS/IDS, WAF, Cloud Infrastructure, Security Operations Center, Digital Forensics, User Awareness platforms, Patch Management.
• Experience investigating security events, identifying threats and resolving vulnerabilities in large and complex environments.
• Host-based and network analysis/forensics capability
• Knowledge in Programming, SDLC, Agile, Shift Left, DevSecOps Methodology
• Asset and Systems Inventory, Change Management Experience
• Knowledge in Ethical hacking
• Understanding and knowledge of a broad range of technologies (Windows, Unix, authentication technologies, border networks)
• Advance knowledge of IT security and solid understanding of Information Security concepts, risk management and practices
• People management skills
• Excellent written and verbal communication and presentation skills.
• Certifications may include CISM, CISA CRSC, CISSP, GSEC, CHFI, GCIH etc