Security Controls Engineer

Job Description

The Security Controls Engineer is a technology and process-focused security professional with an emphasis in information security controls, risk assessment, regulatory compliance, and security consultation. Applies information security concepts, knowledge, and skills to support a comprehensive information protection program. The Security Controls Engineer evaluates and monitors the current state of security controls across the organization related to people, process, and technology, as well as with 3rd-party vendors external to the organization.

General Responsibilities:

• Performs the collection of the top and most-pressing IT security risks (regulatory, security of critical enterprise applications and infrastructure, vendors, etc.); analyzes, monitors, and derives strategic decisions that balance risk with operation and economic costs of protective measures.
• Performs interviews with company senior management and business owners to confirm anticipated business effects resulting from the actual occurrence of any of the identified enterprise security risks.
• Leverages inventory of key vendors, applications, processes, and infrastructure items and their impact to the top and most-pressing IT security risks. Additionally, maps applications, processes, and infrastructure items to appropriate security risks.
• Identifies key controls (policy, procedure, practice, and/or organizational structure) that if implemented would provide reasonable assurance that security objectives will be achieved and undesired events will be prevented or detected and corrected.
• Reviews, develops, and implements security control plans, vendor security agreements, and security exceptions to control standards.
• Conducts technical security reviews and assessments of vendors, applications, processes, and IT infrastructure.
• Performs activities related to the analysis of data collected during security reviews and assessment of vendors, applications, processes, and IT infrastructure in order to determine current state of security risk across the company.
• Develops remediation plans to address issues discovered as result of security reviews and/or assessments of vendors, applications, processes, and IT infrastructure. Works with management to assign remediation responsibilities, actions, and priorities.
• Monitors and tracks remediation activities to address weaknesses and issues discovered through security reviews or audits of vendors, applications, processes, and IT infrastructure.
• Develops strategies to ensure compliance with security standards, as well as regulatory and audit issues.
• Provides periodic reporting, including assessment findings and recommendations for improvement to applicable constituencies (e.g. executive management, facility leadership, and governance committee).
• Identifies security-related regulatory requirements (e.g. PCI-DSS, SOX, HIPAA), and interacts with internal and external assessors and auditors to ensure ongoing compliance.

Education, Experience: and Certifications:

• 3+ years of experience – Required
• Bachelor’s Degree – Preferred

Other Preferred Qualifications:

• Certifications (preferred, but not required):
  • CISSP - Certified Information Systems Security Professional
  • GSEC - GIAC Security Essentials Certified
  • CISA - Certified Information Systems Auditor
  • PCIP- PCI Professional Training
  • HCISPP - Healthcare Information Security and Privacy Practitioner
• Preferred areas of experience:
  • Security Technologies/Methodologies
  • IT Audit/Risk Management
  • Information Security Metrics and Reporting
  • Systems Control Review Process
  • Application/Infrastructure Control Review Process
• Working knowledge of the COSO and COBIT methodologies:
• Experience with ISO27001, HIPAA, Sarbanes-Oxley, PCI-DSS
• Experience with IT risk, regulatory, or compliance responsibilities
• Excellent analytical and interpersonal skills
• Excellent oral and written communication skills