Position Purpose
IT Security Analyst with a focus on vendor and third party risk management. Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37).
Job Function
Information Technology
Required Education & Experience
Bachelor's degree or alternate combination of education/experience that results in equivalent job knowledge is required. Two or more years' experience in any of the following areas: Cyber Security, IT Systems Architecture, IT Systems Administration, IT Auditing or a related field.
Preferred Qualifications
- A successful academic or work background indicating a demonstrated ability to absorb information, apply conceptual skills in practical applications, and achieve desired results in a highly technical, operating environment.
- Strong analytical and problem solving background; good project management skills with ability to multitask and manage multiple small projects in a cross-functional environment.
- Must effectively deal with the rapid technological and business change while maintaining enthusiasm and displaying sound judgment and common sense.
Certifications preferred may include:
- ISC2 Certified Information Systems Security Professional (CISSP)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
Job Description
- Perform initial and periodic risk assessments, and other necessary reviews, to identify, measure and manage third party information security risks based on company standards and risk appetite, leveraging demonstrated working knowledge of industry security practices
- Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers)
- Provide dedicated support to the information security risk management processes for onboarding and oversight of all new and existing third-party vendor relationships
- Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment
- Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network
- Perform security reviews, identify gaps in security architecture, and develop a security risk management plan
- Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
- Review contracts, project documentation, system design documents, vendor security policies and other vendor security references (i.e. SOC II type 2, SIG, AUP, PCI ROC, BitSight, etc.) to determine the extent, type, and scope of risks of the vendor relationship
- Communicate to business units and cross-functional teams regarding significant third-party information security events and escalate to senior management, when applicable
- Coordinate with IT architects, project teams and vendors to bring system designs into alignment with company security standards
- All other duties and projects as assigned
Work Conditions
Normal office environment.
Physical Effort
Primarily sitting with optional standing and walking.
Louisville Gas and Electric Company and Kentucky Utilities Company
220 W Main St
Louisville
Kentucky États-Unis
lge-ku.com/
