The Sr. Information Security Analyst is part of the Granicus Security team with a primary responsibility in maintaining security documentation and supporting internal and external security assessments of Granicus cloud systems and products to ensure cohesive awareness of risk and risk reduction capabilities. Owns delivery of assigned security compliance projects in support of ongoing compliance programs. Assist team with other security and/or privacy compliance projects as assigned. Services should be performed in accordance with professional and department standards. Responsibilities include assessing the current adequacy of security strategy and controls for assigned systems, calculating the impact of potential adverse events, and facilitating risk mitigation planning and review sessions. This role assists with internal and third-party risk assessments.
What You'll Do:
· Support security risk management framework for assigned Granicus applications using technical, writing, and auditing skills.
· Two primary functions are as follows:
o Maintain existing and new information security and privacy policies, plans, and procedures within the framework of assigned compliance programs including System Security Plans (SSP) and related security documentation for internal systems
o Prepare for, participate in, and support security certification and NIST-800-53 based compliance audits (FISMA, FedRAMP, 800-171, CMMC, etc.) and ISO 27001 compliance audits – internal, externally contracted, or both as assigned
· Work with engineering, product development, and key stakeholders to clearly assess compliance to selected/assigned security and privacy controls, and identify and define remediation steps to address vulnerabilities
· Lead and conduct internal assessments if/when required to conduct and/or assist with internal NIST SP 800-53A and ISO 27001 assessments on internal systems through personnel interviews and documentation review, to determine compliance with policies and procedures, recommend corrective actions, and prepare findings reports
· Gather or coordinate the collection of necessary evidence
· Maintain POA&Ms and track associated mitigation for assigned products
· Assist in the facilitation of GRC systems to improve documentation maintenance and documentation reuse.
· Track compliance matrices across all supported security and privacy frameworks
· Assist with the reviews and processing of monthly vulnerability scan results for assigned systems and works with the technical teams to ensure vulnerabilities are resolved on time
· Track SLAs on audit and continuous monitoring findings
· Manage 3rd-party assessments and penetration testing as assigned
· Self-manages assigned projects, report status and performance metrics, issues and recommendations for success
Who You Are:
· You have at least 5 years working with information security governance, compliance, or auditing with at least 3-years' as a lead assessor and with at least 2-years' direct or related experience assessing information systems following NIST Special Publications e.g. NIST 800-37, 800-53, 800-137, etc.
· You have strong knowledge of variety of the IT technologies, architecture, concepts, best practices, and procedures, information security principles, standards, tools, and methodologies
· You have experience with assessing commercial cloud environments
· You have a strong "accountant-like" mindset and attention to detail, ability to interface with all levels of personnel (system administrators, ISSO, developers, etc.)
· You have proven problem solving and analytical ability with the capacity to prioritizing key issues form large amounts of input
· You can effectively handle ambiguous, dynamic tasks while able to adjust focus in response to events and circumstances
· You have at least 5-years' experience with writing/defining/clarifying requirements for technical teams including authoring deliverables such as System Security Plan (SSP), Contingency Plans, Incident Response Plans, Security Assessment Report (SAR), Plan or Actions and Milestones (POA&M), and Business/Security Impact Analysis (BIA/SIA).
· You can communicate clearly in small groups
· You are results oriented with the ability to self-manage and work independently
· You have excellent organizational, planning, and time management skills
· You are effective in Microsoft Word, Excel, and PowerPoint
· You have at least one of the following certifications: Security+, CAP, CISA, CISM, CISSP
· You understand and prioritize work according to time and resource constraints
· You are comfortable with presenting work to small audiences (10-20 people)
· You can operate effectively independently and in teams, making progress on tasks while dealing with potential process and project ambiguity
· You have a strong desire to work in the Information Security and privacy field
· You understand risk management concepts
· You are flexible and be able to function in a fast paced and dynamic environment
· You can work within and coordinate with other agile-based teams
· You have experience with JIRA and Confluence is strongly desired
· You have a working knowledge of, and ability to submit, non-complex database queries
· You have FedRAMP experience
*starting rate may vary by experience and/or location