Security (GRC) Analyst

Description:
Responsibilities:
·        Perform PCI, SOC2, ISO, and applicable State of Florida cybersecurity controls-related reviews to ensure that current, new, and technology infrastructure complies with these standards and Department’s security policies.
·        Plan and perform IT security controls effectiveness. Manage remediation efforts for the identified gaps including assessment of new or enhanced implemented controls.
·        Maintain IT security risk and compliance matrix and performs management reporting. This will include IT systems controls, and business process risks to meet compliance requirements. Provide risk mitigation strategies
·        Maintain Third Party Risk Management Program (TPRM) and analyze SOC-2 and other
reporting including mapping to key IT security and compliance controls such as NIST, PCI, and COBIT.
·        Manage IT security vulnerabilities management program aligned with PCI and NIST standards.
·        Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important.
·        For the most critical and sensitive assets and operations, estimating the potential losses or damage that could occur if a threat materializes, including recovery costs.
·        Identifying cost-effective actions to mitigate and reduce risk. These actions can include implementing new organizational policies and procedures as well as the design of technical or physical controls.
·        Coordinating, tracking, and verifying remediation of audit findings.
·        Documenting the results and developing a plan of action and milestones for mitigating any identified risk.
·        Produce formal audit reports based on ISACA Audit Standards.
·        Promotes compliance with regulatory requirements (e.g. PCI DSS) and IT best practices.

Required Qualifications:
Candidate MUST have:
·        7-10 years of IT Audit experience (CISA certified preferred)
·        3 years of IT Risk Management lifecycle experience
·        3 years of hands-on technical experience (e.g. developer, system administrator)
·        Experience working with NIST 800-30 Risk Assessment Standard
·        Extensive experience with IT General Controls evaluation and design
·        Advanced skill level in business process mapping and documentation as well as policy and procedure development
·        Recent experience in Information Security with up-to-date knowledge of the current threat landscape.
·        Solid understanding of PCI DSS standards
·        Bachelor‘s Degree in Computer Science, Information Systems, Business Administration, or other related field and/or equivalent work experience.

Preferred Qualifications:
CISA and CISSP certifications (preferred).