- Bachelor's Degree
- Master's Degree
- NIST Standards
- System Administration
The Information Security Risk Analyst is part of the Vanderbilt University Information Technology department and is a key individual contributor responsible for performing hands on risk assessments while helping to implement and maintain a comprehensive information security risk management program. This includes defining key risk indicators, risk registers, processes and standards. The Information Security Risk Analyst will work with various departments to identify, measure, and report on risk based on the NIST Cybersecurity Framework and compliance regulations such as PCI, NIST 800-171, and ITAR.
Vanderbilt University Information Technology is committed to delivering world-class technology and service in support of excellence in teaching, learning, and research across the university. Our guiding principles of developing our team, consistently communicating, setting the dials right, cultivating governance, and focusing on our customers drive our mission to advance the academic strategic plan and institutional priorities of Vanderbilt University.
Duties and Responsibilities
Designs and advises in the creation of secure environments and compliance solutions to mitigate risks and ensure controls are built into every aspect of enterprise architecture.
Continuously identifies, assesses, measures and monitors information technology risk by performing hands-on risk assessments.
Identifies and communicates recommended security and control deficiencies for business units;
documents and monitors the implementation of controls for applications, technologies & assets for those identified security and control deficiencies.
Evaluates enterprise security architecture to ensure that disparate system components are well integrated, secure, and operating efficiently
Establishes information security baselines for applications, systems, and environments reduce institutional risk and comply with applicable statutory requirements
Conducts regularly scheduled assessments on systems and diagnoses the root cause of problems and proposes solutions
Assists with vendor assessments for evaluations and tracking of risk changes.
Maintains assessment criteria of applications & systems for measuring compliance of company policies, procedures, standards, security training programs, technical infrastructure, applications and development efforts against defined compliance baselines.
Creates, develops, documents, maintains and supports the information security risk management and compliance program in line with information security policies, practices and leading industry standards.
Evaluates, quantifies, and communicates risk across the vendor, internal controls, and cyber domains.
Translates laws and regulatory requirements related to information protection, and develops appropriate processes to achieve and maintain compliance and reduce risk
Provides support in the creation, implementation, and maintenance of appropriate enterprise programs, policies, and procedures to be compliant with applicable regulations such as ISO, SOC, HIPAA, PCI, FedRAMP/FISMA
Understands information security risks pertinent to its business goals and technology infrastructure and support an enterprise information security risk program to identify & assess and respond to risks.
Maintains an up-to-date understanding of emerging trends in information security risks; applies new techniques and trends, in-line with overall information security objectives and risk tolerance.
Profile of an Ideal Candidate
A Bachelor’s degree in Computer Science or Information Systems from an accredited institution of higher education is necessary.
A Master’s degree in Computer Science or Information Systems from an accredited institution of higher education is preferred.
Security Certification (CRISC, CISSP, and SSCP) is preferred.
At least three years of experience in Information Security Risk is necessary.
Hands on experience with system administration of Linux, Windows systems is necessary.
Knowledge and understanding of implementing and reviewing NIST 800-53 or NIST 800-171 controls is necessary.
Thorough knowledge and strategic understanding of information security principles, practices, and requirements as they relate to a major academic research institution is preferred.
Strong technical background in desktop, networking and server engineering is preferred
Hands on experience with vulnerability and application testing is preferred.
Outstanding interpersonal skills and demonstrated ability to communicate and work effectively in business partner relationships is preferred.
Demonstrated integrity and ability to maintain principles and make appropriate decisions under ethical pressure if preferred.
Knowledge and understanding of Federal, State, and University laws, regulations, and standards pertaining to information security and privacy is preferred.
Ability to effectively explain, promote, and defend the value of security initiatives to top management is preferred.
Ability to develop successful information security solutions that are consistent with and that support institutional business strategies and practices is preferred.
Ability to anticipate need and effectively assist the organization to rapidly adjust and respond to ever-changing information security conditions and trends is preferred.
Knowledge and understanding of current and emerging technological and operational solutions in the area of information security is preferred.
Commitment to Equity, Diversity and Inclusion
Vanderbilt University is committed to achieving the goal of a diverse and inclusive academic community of faculty, staff, and students. We seek individuals who are committed to this goal and our campus values.
Vanderbilt University is an equal opportunity, affirmative action employer. Women, minorities, people with disabilities and protected veterans are encouraged to apply.
Job: Information Technology Professionals
Primary Location: United States-Tennessee-Nashville
Organization: 46700 - IT Security Operations