Information Security Analyst is part of the Granicus Security team to ensure cohesive awareness of risk and our risk reduction capabilities, as well as easily collaborate with other departments who support our Security Program. Owns delivery of assigned security compliance projects in support of ongoing compliance programs. Assist team with other security and/or privacy compliance projects as assigned. Services should be performed in accordance with professional and department standards. Responsibilities include assessing the current adequacy of security strategy and controls for assigned systems, calculating the impact of potential adverse events, and facilitating risk mitigation planning and review sessions. This role assists with internal and third-party risk assessments.
What You’ll Do:
· Own the risk management framework for assigned Granicus applications
· Work with engineering, product development, and key stakeholders to clearly assess compliance to selected/assigned security and privacy controls, and identify and define remediation steps to address vulnerabilities
· Develops and supports maintenance of System Security Plans (SSP) and related security documentation for internal systems, including plan and policy updates
· Prepares for, participates in, and supports security certification and NIST-800-53 based compliance audits (FISMA, FedRAMP, 800-171, CMMC, etc.)
· Gather or coordinate the collection of necessary evidence
· Conduct/lead internal NIST SP 800-53A assessments on internal systems through personnel interviews and documentation review, to determines compliance with policies and procedures, recommending corrective actions, and preparing findings reports
· Manage 3rd-party assessments and penetration testing as assigned
· Creates POA&Ms and tracks associated mitigation
· Reviews and process monthly vulnerability scan results for assigned systems and works with the technical teams to ensure vulnerabilities are resolved on time
· Tracks SLAs on audit and continuous monitoring findings
· Self-manage assigned projects, report status and performance metrics, issues and recommendations for success
Who You Are:
· You have at least 5 years working with information security governance, compliance, or auditing with at least 3-years’ as a lead assessor and with at least 2-years’ direct or related experience assessing information systems following NIST Special Publications e.g. NIST 800-37, 800-53, 800-137, etc.
· You have at least 5-years’ experience with writing/defining/clarifying requirements for technical teams including authoring deliverables such as System Security Plan (SSP), Contingency Plans, Incident Response Plans, Security Assessment Report (SAR), Plan or Actions and Milestones (POA&M), and Business/Security Impact Analysis (BIA/SIA).
· You know a variety of IT technologies, architecture, concepts, best practices, and procedures, information security principles, standards, tools, and methodologies
· You have experience with assessing commercial cloud environments
· You have an “accountant-like” mindset and attention to detail, organizational, planning, and time management skills
· You have proven problem solving and analytical ability with the capacity to prioritizing key issues form large amounts of input
· You can effectively handle ambiguous, dynamic tasks while able to adjust focus in response to events and circumstances
· You are results oriented with the ability to self-manage and work independently
· You have strong written and verbal communication skills, and can present clearly in small and medium (~20 person) groups
· You are flexible and can function in a fast paced and dynamic environment
· You have a working knowledge of and ability to submit non-complex database queries
· You are strong expertise Excel, and the MS Office Suite
· Experience with JIRA and Confluence is strongly preferred
· Experience with NIST 800-53 based controls is required with FedRAMP experience a plus
· Security+, CAP, CISA, CISM, or CISSP certifications are strongly preferred
Granicus is committed to providing equal employment opportunities. All qualified applicants and employees will be considered for employment and advancement without regard to race, color, religion, creed, national origin, ancestry, sex, gender, gender identity, gender expression, physical or mental disability, age, genetic information, sexual or affectional orientation, marital status, status with regard to public assistance, familial status, military or veteran status or any other status protected by applicable law. #DP #LI-NS1
At Granicus, we offer a competitive benefits package that allows employees to tailor benefits to their needs. Benefits listed below are for employees based in the U.S.