EITS Security Risk Analyst

Job Summary

The EITS Security Risk Analyst will perform vulnerability scans, assess identified vulnerabilities, and prioritize their remediation. This role involves enhancing the current vulnerability management program and interfacing with various Information Technology teams to articulate vulnerabilities and remediation plans. The individual must translate IT security requirements into technical control specifications and assist in coordinating IT activities for security implementation and management.

Preferred Qualifications

Educational Level: A bachelor's degree in information systems is required.

Certifications: CISSP, CISM, GSEC, CEH, or other relevant security qualifications are preferred.

Knowledgeable In:

• Experience with vulnerability scanning tools, preferably Rapid7.
• Strong knowledge of vulnerability and patch assessment.
• Deep understanding of vulnerability scoring systems (CVSS/CMSS) and security frameworks like OWASP (Open Web Application Security Project) and MITRE ATT&CK.
• Good understanding of Windows and Linux patching.
• Excellent writing and communication skills for conveying findings and remediation status.
• Knowledge of network and operating system security.
• Familiarity with encryption algorithms, known vulnerabilities from alerts, advisories, errata, and bulletins.
• Ability to utilize/understand open-source tools such as Nmap, Shodan, and Metasploit to identify and confirm vulnerabilities and attack surface.
• Strong knowledge of infrastructure, application, and security protocols, in addition to configuration management techniques.
• Knowledge of network security architecture concepts, including topology, protocols, components, principles (e.g., application of defense-in-depth), and traffic flows (e.g., TCP & TCP/IP, OSI).
• Experience working with network access, identity, and access management (e.g., Active Directory, access federation, multifactor authentication, PKI).
• Experience working with operating systems (Microsoft Windows, Linux, UNIX, etc.).

Years of Experience: A minimum of ten years of IT experience, with at least seven years dedicated to IT/Cyber Security, including Solution Design.

Responsibilities Will Include:

• Support Information Security and Risk Management by maintaining and enforcing the Information Security and risk management framework/methodology, including execution of risk analysis and risk mitigation strategies.
• Manage the process of gathering, analyzing, and assessing the current and future threat landscape, providing the CISO with a realistic overview of enterprise risks and threats.
• Exhibit best practice risk management skills through effective internal risk controls, risk monitoring, risk assessment, and improvement of risk management processes.
• Document and maintain the enterprise security risk governance methodology and risk management policy, process, and procedure.
• Work with various stakeholders to identify information asset owners to classify data and systems as part of a control framework implementation.
• Organize and perform enterprise security risk assessments and gap analyses for all new technologies, products, and functions, maintaining risk project work plans.
• Track and document all internal risk reviews, assessments, risk acceptances, and security exceptions in a GRC tool.
• Collaborate with the enterprise architecture team to ensure convergence of business, technical, and security requirements; liaise with IT management to align existing technical installed base and skills with future architectural requirements.
• Develop a strong working relationship with the security engineering team to develop and implement controls and configurations aligned with security policies and legal, regulatory, and audit requirements.
• Serve as the information security liaison and subject matter expert for all relevant EMR and PHI related security risk.
• Conduct or participate in all relevant audits and risk assessment activities (whether operational risk, legal/compliance risk, reputational risk, or information security risk).
• Aid in the planning and execution of risk remediation activities, including identifying practical, cost-effective solutions.
• Facilitate team meetings between stakeholders, project leaders, and Information Technology teams.
• Attend regular team, management, and project meetings and provide both verbal and written reports to the Leadership Team as required, potentially coordinating with an Operational Risk Committee.
• Keep informed on current threats and industry regulations.

Key Skills/Competency

• Vulnerability Management
• Risk Assessment
• Security Frameworks
• Rapid7
• OWASP
• MITRE ATT&CK
• Network Security
• Operating Systems
• GRC Tools
• Information Security