Full Job Description
SUMMARY: The Information Security Risk Assessor is a technical resource that works closely with IT teams to integrate security throughout the application/software implementation lifecycle by assessing application security throughout the application workflow. The assessment engineer is responsible for the evaluation of new projects and conducting routine security assessments that adhere to the company’s security guidelines, information security best practices, industry compliance requirement and enforces the banks network and security policies. The risk assessor will work with the business owner, vendor management, application teams, network and security engineers to document the application information flow to generate a threat model (using approach such as STRIDE or similar) to highlight the attack surfaces, identify the various security control enforcement points and risk assess the computer threats (using method such as DREAD or similar). The documentation that will be produced will highlight the control items and mitigation gaps as applicable.
ESSENTIAL JOB FUNCTIONS:
Work with EagleBank Risk and Vendor management to document and execute the Third Party / Vendor Information Security Risk Assessment program.
Provide expert security architecture oversight for programs and projects, to enable risk-based decision making with Business, IT, Risk and Information security stakeholders in EagleBank.
Conduct information security assessments to identify security risks in applications, systems and networks before they are implemented and to supplement the Vendor Risk Assessment efforts. Provide an initial security assessment review report together with identified deficiencies, which will enable vendor management to sign off on product acquisition contract paperwork.
Work with development teams to provide appropriate and effective remediation guidance for vulnerabilities discovered during various project/program implementation security assessments.
Work with the business owner, vendor management, application teams, network and security engineers to document the application information flow.
Review vendor provided compliance and security reports such as SSAE16 SOC1/SOC2, ISO27001,NIST 80w.0-53, FedRAMP, PCI-DSS, CSA CAIQ, etc.
During the implementation phase generate a threat model using Microsoft STRIDE or similar approach, to highlight the attack surfaces, identify the various security control enforcement points and risk assess the computer threats using DREAD or a similar mitigation methodology. Work with enterprise to document the residual risk in the IT risk register.
Be responsible for delivering the annual information assets risk assessment, preparing the annual cybersecurity preparedness assessment (using the FFIEC Cyber Security Assessment tool or equivalent) and completing the cybersecurity controls assessment (using the NIST Cyber Security Framework or equivalent). These reports will provide input into the Annual Information Security Report to the Board.
Work with IT and business stakeholders to provide security guidance and promote a positive security mindset.
Works with vendor management to obtain all documentation for review and to resolve concerns recommend changes and investigate concerns.
Reviews vulnerability announcements from vendor, US-CERT and FS-ISAC advisories.
Provides weekly security status report. Escalates issues to manager, information security, enterprise risk and teams as appropriate.
Other duties as assigned.
Bachelor’s Degree in a related field. Masters preferred.
Certification in information security such as GIAC/CISA/CISM/CRISC/CISSP.
10 years of IT work experience, with at least 5 years as information security risk assessor.
Recent experience working as a risk assessor in a leading financial service firm.
Experience and expertise in security reviews and technology risk assessments.
Solid understanding of information security policies, standards, industry best practices, and frameworks. (ISO 27000, NIST 800-53, FISMA, BITS etc.).
Experience with web application assessment, network penetration testing, and vulnerability research.
Ability to document and explain risks and vulnerabilities to both business and technical stakeholders.
Working knowledge of common OS and domain structures, servers, services, and associated vulnerabilities.
Extensive network security technical skills including firewalls, AD, etc...
Experience with Windows, Linux/Red Hat, etc. operating systems and .NET/JAVA applications.
Solid understanding of multi-tiered and cloud architecture
Solid understanding of application security and system design
Solid understanding of the Software Development Lifecycle (SDLC) and Agile Technologies
Be familiar with FFIEC Handbook controls.
Familiarity with common vulnerabilities and attack vectors.
PHYSICAL AND MENTAL QUALIFICATIONS:
Occasional travel, as required.
Ability to lift 20 pounds or more for the purpose of handling computer equipment.
STYLE OR APTITUDE TRAITS:
Ability to work effectively with a diverse group of users who have varying levels of computer expertise.
Ability to multi-task while working in a fast-paced, ever changing environment.
Excellent analytical and problem solving skills.
Strong written and oral communication skills Ability to develop and document security procedures.
Demonstrates a commitment to Relationships F.I.R.S.T. in all areas of job performance.