The Information Security Risk Analyst is part of the Vanderbilt University Information Technology department and is a key individual contributor responsible for performing hands on risk assessments while helping to implement and maintain a comprehensive information security risk management program. This includes defining key risk indicators, risk registers, processes and standards. The Information Security Risk Analyst will work with various departments to identify, measure, and report on risk based on the NIST Cybersecurity Framework and compliance regulations such as PCI, NIST 800-171, and ITAR.
About the Work Unit:
Vanderbilt Information Technology is a division of Vanderbilt University, formally created July 1, 2013, with the mission of providing world-class information technology to Vanderbilt University and Medical Center. As of May 2016, the Medical Center and the university are legally separate entities, and this organization serves the university community. The new division brings together the staff and functions of multiple different information technology departments and organizations across the enterprise.
Key Functions and Expected Performance:
Continuously identifies, assesses, measures and monitors information technology risk by performing hands-on risk assessments.
Identifies and communicates recommended security and control deficiencies for business units; documents and monitors the implementation of controls for applications, technologies & assets for those identified security and control deficiencies.
Assists with vendor assessments for evaluations and tracking of risk changes.
Maintains assessment criteria of applications & systems for measuring compliance of company policies, procedures, standards, security training programs, technical infrastructure, applications and development efforts against defined compliance baselines.
Develops, documents, maintains and supports the information security risk management program in line with information security policy, practices and leading industry standards.
Understands information security risks pertinent to its business goals and technology infrastructure and support an enterprise information security risk program to identify & assess and respond to risks.
Maintains an up-to-date understanding of emerging trends in information security risks; applies new techniques and trends, in-line with overall information security objectives and risk tolerance.
Evaluates security policy, processes and procedures for completeness.
This position does not have supervisory responsibility; the position reports administratively and functionally to the Director of Information Security.
Education and Certifications:
A Bachelor's degree in Computer Science or Information Systems from an accredited institution of higher education is necessary.
A Master's degree in Computer Science or Information Systems from an accredited institution of higher education is preferred.
Security Certification (CRISC, CISSP, and SSCP) is preferred.
Experience and Skills:
At least three years of experience in Information Security Risk is necessary.
Thorough knowledge and strategic understanding of information security principles, practices, and requirements as they relate to a major academic research institution is preferred.
Outstanding interpersonal skills and demonstrated ability to communicate and work effectively in business partner relationships is preferred.
Demonstrated integrity and ability to maintain principles and make appropriate decisions under ethical pressure if preferred.
Knowledge and understanding of Federal, State, and University laws, regulations, and standards pertaining to information security and privacy is preferred.
Ability to effectively explain, promote, and defend the value of security initiatives to top management is preferred.
Ability to develop successful information security solutions that are consistent with and that support institutional business strategies and practices is preferred.
Ability to anticipate need and effectively assist the organization to rapidly adjust and respond to ever-changing information security conditions and trends is preferred.
Knowledge and understanding of current and emerging technological and operational solutions in the area of information security is preferred.
Key Characteristics of a Successful Team Member in this Work Unit:
Analytical & Detail-Oriented – Accurately assesses information and applies applicable law, policy and procedure. Considers the long term implications of actions today and advises employees appropriately. Even small mistakes can create big issues; attention to detail work indicates care about the outcomes.
Adaptability – Reads cues and adapt accordingly. Adjusts style and approach to accommodate the styles and needs of others. Can anticipate and effectively de-escalate potential conflicts.
Hard-Working – Is industrious as well as efficient (busy isn't the same as productive). Can juggle multiple competing priorities simultaneously without becoming overwhelmed.
Integrity – Holds oneself accountable; takes responsibility for failures as well as successes, recognizes that trust is required to hold a team together.
Maturity – Exhibits professional maturity; doesn't pass the buck to dodge accountability; doesn't engage in petty office politics or inappropriate social conduct
Internal Number: 1801489
About Vanderbilt University
Vanderbilt University is a center for scholarly research, informed and creative teaching, and service to the community and society at large. Vanderbilt will uphold the highest standards and be a leader in the quest for new knowledge through scholarship, the dissemination of knowledge through teaching and outreach, and the creative experimentation of ideas and concepts. In pursuit of these goals, Vanderbilt values most highly intellectual freedom that supports open inquiry, equality, compassion, and excellence in all endeavors.