Sr. Information Security Analyst at Granicus LLC (Remote)
Are you looking for meaning and purpose in the work you do?
Granicus is a global (remote first) software as a service company building products for the public sector. We digitize government services for all levels of government: city, county, state and federal. We also work with the UK, Canada, Australia and EU.
Examples of our work:
- City of Oakland, California has used Granicus solutions to enhance its transparency and citizen engagement efforts.
- In the aftermath of Hurricane Harvey, the City of Hurst, Texas was inundated with calls and emails about how to provide donations, dollars or a helping hand, which consumed valuable staff time. They needed a "central source of truth" and an easier way to get vital information to residents before, during and after the hurricane.
- Michigan Department of Health and Human Services (MDHHS) needed an efficient way to improve and increase foster parent recruitment in the state with a 400% over goal result.
Click => Success Stories to learn more about the impactful work we've done in communities across the country and world.
Some quick highlights about us:
- #1 GovTech company
- 22B messages sent annually (22B is not a typo)
- 280M subscribers
- 900+ global employees (300+ on the product team)
- Remote first company, this is not temporary. Should you be seeking an in person or hybrid situation and live near one of our hubs we can accommodate you.
Click => Careers to learn more about working at Granicus.
About this role:
- Hiring Manager: Mike Sangillo - Information Security Program Manager - LinkedIn Profile
- Salary Range: $90,000 - $120,000 +bonus (starting salary may differ by experience and/or location)
- Interview process: 5-6 steps that can be done in 2 weeks (calendars permitting)
Note: the following is a profile or persona of who we are looking for. If you have many of the characteristics below, and we want to learn more about all your skills, please apply so we can start a conversation.
The Sr. Information Security Analyst is part of the Granicus Security team with a primary responsibility in maintaining security documentation and supporting internal and external security assessments of Granicus cloud systems and products to ensure cohesive awareness of risk and risk reduction capabilities. Owns delivery of assigned security compliance projects in support of ongoing compliance programs. Assist team with other security and/or privacy compliance projects as assigned. Services should be performed in accordance with professional and department standards. Responsibilities include assessing the current adequacy of security strategy and controls for assigned systems, calculating the impact of potential adverse events, and facilitating risk mitigation planning and review sessions. This role assists with internal and third-party risk assessments.
What You'll Do:
- Support security risk management framework for assigned Granicus applications using technical, writing, and auditing skills.
- Two primary functions are as follows:
- - Maintain existing and new information security and privacy policies, plans, and procedures within the framework of assigned compliance programs including System Security Plans (SSP) and related security documentation for internal systems
- - Prepare for, participate in, and support security certification and NIST-800-53 based compliance audits (FISMA, FedRAMP, 800-171, CMMC, etc.) and ISO 27001 compliance audits – internal, externally contracted, or both as assigned
- Work with engineering, product development, and key stakeholders to clearly assess compliance to selected/assigned security and privacy controls, and identify and define remediation steps to address vulnerabilities
- Lead and conduct internal assessments if/when required to conduct and/or assist with internal NIST SP 800-53A and ISO 27001 assessments on internal systems through personnel interviews and documentation review, to determine compliance with policies and procedures, recommend corrective actions, and prepare findings reports
- Gather or coordinate the collection of necessary evidence
- Maintain POA&Ms and track associated mitigation for assigned products
- Assist in the facilitation of GRC systems to improve documentation maintenance and documentation reuse.
- Track compliance matrices across all supported security and privacy frameworks
- Assist with the reviews and processing of monthly vulnerability scan results for assigned systems and works with the technical teams to ensure vulnerabilities are resolved on time
- Track SLAs on audit and continuous monitoring findings
- Manage 3rd-party assessments and penetration testing as assigned
- Self-manages assigned projects, report status and performance metrics, issues and recommendations for success
Who You Are:
- You have at least 5 years working with information security governance, compliance, or auditing with at least 3-years' as a lead assessor and with at least 2-years' direct or related experience assessing information systems following NIST Special Publications e.g. NIST 800-37, 800-53, 800-137, etc.
- You have strong knowledge of variety of the IT technologies, architecture, concepts, best practices, and procedures, information security principles, standards, tools, and methodologies
- You have experience with assessing commercial cloud environments
- You have a strong "accountant-like" mindset and attention to detail, ability to interface with all levels of personnel (system administrators, ISSO, developers, etc.)
- You have proven problem solving and analytical ability with the capacity to prioritizing key issues form large amounts of input
- You can effectively handle ambiguous, dynamic tasks while able to adjust focus in response to events and circumstances
- You have at least 5-years' experience with writing/defining/clarifying requirements for technical teams including authoring deliverables such as System Security Plan (SSP), Contingency Plans, Incident Response Plans, Security Assessment Report (SAR), Plan or Actions and Milestones (POA&M), and Business/Security Impact Analysis (BIA/SIA).
- You can communicate clearly in small groups
- You are results oriented with the ability to self-manage and work independently
- You have excellent organizational, planning, and time management skills
- You are effective in Microsoft Word, Excel, and PowerPoint
- You have at least one of the following certifications: Security+, CAP, CISA, CISM, CISSP
- You understand and prioritize work according to time and resource constraints
- You are comfortable with presenting work to small audiences (10-20 people)
- You can operate effectively independently and in teams, making progress on tasks while dealing with potential process and project ambiguity
- You have a strong desire to work in the Information Security and privacy field
- You understand risk management concepts
- You are flexible and be able to function in a fast paced and dynamic environment
- You can work within and coordinate with other agile-based teams
- You have experience with JIRA and Confluence is strongly desired
- You have a working knowledge of, and ability to submit, non-complex database queries
- You have FedRAMP experience