Information Security Risk Analyst

Primary Purpose of Job

Supports the company’s information security program to ensure that policies, procedures, standards and practices are in place to adequately identify, assess, mitigate, manage, monitor and report on key information security risks.

Major Job Accountabilities

• Works with IT and internal operations to ensure safeguarding of all confidential, proprietary, privileged, and protected information assets, including customer data. Monitors essential processes to ensure compliance with policies, standards, practices, and guidelines. Assists in verifying compliance with information security requirements of applicable laws, regulations, and Bank policies and procedures, including but not limited to GLBA, FACTA, PCI DSS, Anti-Money Laundering laws and regulations, Bank Secrecy Act, and USA PATRIOT Act.
• Develops and performs information security and vulnerability assessments, including testing of applications, systems, and infrastructure to ensure appropriate protection of sensitive customer and company information. Conducts risk analyses and recommends remediation for deficiencies. Tracks and assesses remediation(s) to ensure compliance with policies and operational standards.
• Performs information security risk management activities including information security risk assessments, vendor risk reviews, and monitoring remediation of identified gaps and issues.
• Develops reports on key program effectiveness metrics, including analytics for actionable insights.
• Ensures technical enforcement and effectiveness of internal security controls to maintain integrity of organizational networks, systems, and applications.
• Develops and conducts bank-wide/departmental information security training. Maintains current knowledge of evolving information security risks, particularly regarding cyber security, trends with risk mitigation tools, and changes to industry regulations affecting financial institutions.
• Recommends, maintains, develops, and revises all information security governance documentation.
• Builds and matures a culture focused on the proactive awareness and improvement of the information security risk environment.
• May occasionally work evening/night hours as needed to address critical situations.

Experience Required

Minimum of four (4) years of the following experience:

• Direct experience in developing information security programs and assessing effectiveness of such programs, preferably within a financial services organization.
• Experience with risk management frameworks, internal controls, and risk concepts.
• Experience with information security frameworks and general areas of information security.

Required Skills or Training

• Verified self-motivated learner bringing a sense of enthusiasm to a hands-on working environment, with the ability to independently research and develop solutions to unique challenges.
• Knowledge of risk management, business process design, and risk concepts with a background in financial, regulatory, information security, and/or enterprise risk management.
• Proven critical thinker with the ability to research, assess, and effectively communicate IT risks and develop, recommend, and monitor corresponding controls.
• Proven excellent interpersonal, verbal, and writing skills to clearly communicate to a diverse audience, with verified ability to build and maintain relationships across diverse technical and non-technical teams.
• Established acute analytical skills, including the ability to consolidate broad data sets from multiple sources, both internal and external, to identify patterns and/or risk factors.
• Verified knowledge and experience with a broad range of security frameworks and standards such as PCI, NIST, ISO 2700 series, etc. Knowledge of the SOX, Federal Financial Institutions Examination Council (FFIEC) and section 501(b) of the Gramm-Leach-Bliley Act.
• Ability to independently apply risk management concepts in various and novel situations to accurately identify, assess, and conclude on risks, while also determining alternatives or designing mitigating controls/activities.
• Knowledge and experience with several networking, operating systems, platforms, client/server, web applications, and general information security technologies is a plus.
• Knowledge and experience with General IT Controls (GITC) and maturity models from various frameworks (SOX, FFIEC, CIS, etc.) is a plus.

EOE, including disability/veterans

At American Savings Bank, we welcome and support all individuals and celebrate the diversity of our team members, customers and community. We are committed to ensuring that our online application process is accessible and provides an equal employment opportunity to all job seekers. If you need assistance searching for a job or submitting an application, please contact us by calling 808-538-2000 and a member of our Recruitment team will follow up with you. Mahalo for your interest in American Savings Bank!