Cloud Security Risk Assessment Engineer

Cloud Security Risk Assessment Engineer

SUMMARY: The Cloud Security Risk Assessment Engineer will be a key member of the Information Security team contributing to the development and maintenance of information security policies, focusing on assessing and prioritizing cloud risks across the organization. The Analyst will perform risk assessments and control gap analysis against Information Security Policies and Risk Management Standards across various cloud computing ecosystems. The Information Risk and Compliance Analyst will create, organize and articulate summarized risk findings that are clear and actionable by business stakeholders. The analyst will mitigate risks by implementing risk management best practices and reporting process efforts to protect cloud data assets. The Analyst's role will help prepare for and facilitate cloud assessments and examinations by regulators and qualified security assessors.

Qualifications

• Bachelors or Master's degree.
• Five or more years of experience with Public Cloud such as Amazon, Google, Azure etc.
• Five or more years of experience in Security, Compliance and risk management, including privacy, controls, etc.
• Experience with risk assessments and compliance of major regulatory initiatives (e.g. SOX, PCI-DSS, HIPAA, FedRAMP.
• Experience with cyber security and information security program management and frameworks (e.g. NIST CSF, ISO/IEC 27000, FFIEC etc.).
• Exposure to and familiarity with relevant standards such as ISO/IEC 27000 family - Information Security
• Management Systems, NIST Cybersecurity Framework, NIST 800, and applicable laws related to regulatory compliance, information security and privacy (e.g. SOX, HIPAA, GDPR, PCI-DSS).
• Knowledge of Information, Cloud security risk management and IT controls frameworks and methodologies (e.g. ISO/IEC 27005, COBIT, OCTAVE, and CCM).
• Knowledge of Standardized Information Gathering (SIG) Questionnaire.
• Knowledge of Risk Management Principles (risk avoidance, transfer, mitigation, acceptance), Risk Assessment process as it relates to the Cloud.
• Knowledge of Cloud Security - Cloud Control Matrix (CCM), Consensus Assessment Questionnaire (CAIQ).
• Knowledge of AICPA SOC for Service Organizations like a financial institution.
• Experience with IT or technology related compliance and risk management related frameworks included ISO 27001, 27018 and NIST 800-53.

Skills and Experience Required

• Certification - AWS, CCSP, CISM, CEH, CISA or CISSP.
• Cloud Computing
  • Experience with Infrastructure and Platform Services such as IAM, Cloud Key Management Service, Log management, Zero-Trust, DLP etc.
  • Knowledge with native cloud security services.
  • Experience with cloud security monitoring tools.
  • Experience with cloud endpoint security tools.
  • Awareness with Management Services such.
  • Cloud Security architecture design.
• Security Compliance Skills:
  • Familiarity with cloud security frameworks CSA, NIST, ISO, CIS, CCM etc.
  • Technical skills to identify and assess cloud security vulnerabilities and risks
  • Expertise in researching & evaluating identified vulnerabilities and risks pose to the organizations information and systems
  • Produce and provide appropriate reporting to stakeholders (owners).
• Cloud Security Continuous Monitoring Solutions:
  • Demonstrated experience in administration/management of continuous monitoring solutions
• Signature Management:
  • Tuning of standard signatures, deployment of custom signatures
  • Manage continuous monitoring vendors to deliver on the needs of the business.
  • Understands cloud architecture platforms.
• Soft Skills:
  • Can do, customer centric attitude.
  • High collaboration and influence skills.
  • Willingness to share and learn from others.
  • Excels in written and verbal communication skill.
  • Ability to adapt/accept dynamic and changing environment.
  • Ability to comply with any regulatory requirements.
  • Experience in IT/Cyber security highly preferred.
  • Proven success in contributing to a team-oriented environment.
  • Proven ability to work creatively and analytically in a problem-solving environment.
  • Excellent leadership, communication (written and oral) and interpersonal skills

Information security risk assessment: Perform cloud security risk assessments and risk management activities across the organization. Establish and maintain risk criteria, identify, analyze, and evaluate cloud security risks. Ensure that repeated information security risk assessments produce consistent valid and comparable results across all the different cloud platforms used by the Bank. Maintain repository of documented information about the information security risk assessment process.

Information security risk management Perform selection of appropriate information security risk treatment options as a result of risk assessment results, determine all controls that are necessary for the cloud infrastructure. Serves as the Subject Matter Expert (SME)in the Implementation of the information security risk treatment options, compare controls and verify that non-essential controls have been omitted during the cloud implementation process.

Information security governance and compliance Perform information security, governance, risk, and compliance assessments on third party vendors to ensure supply chain risk is managed throughout the vendor's lifecycle as it relates to cloud computing and other digital assets. Articulate results of the final assessments to business stakeholders, project sponsors, program managers, and other internal parties on cloud related business initiatives.

Information security review and reporting Develop and implement a risk reporting framework for management teams and governance committees on all cloud computer infrastructure. Assist with the continuous evaluation of the effectiveness of information security program. This will be done by developing, monitoring, gathering and analyzing information security and compliance metrics for management for the cloud environment. Implement continuous monitoring solutions to understand and explain security risks and mitigation techniques on both on-prem or cloud infrastructure. Produces the proper scorecards and related metrics to keep the stakeholders updated with weekly reporting or communications on all cloud related technologies.

Information security relationship management Assist with responding to customer information security requirements and due diligence. Coordinate and facilitate response gathering in conjunction with other organizational applications, support, infrastructure, legal, HR, and physical security teams as necessary. Ensure responses are accurate, valid, consistent, and are reported within expected timeframes. Maintain repository of customer information security requirements, track and report on compliance.

Cyber security design and implementation Design and document cloud controls to ensure that the various business units demonstrate compliance with its regulatory or compliance obligations. Facilitate and coordinate activities and responses related to internal and external cloud controls testing including entitlement reviews. Facilitate the remediation of control gaps and escalate critical issues to management. Assist with third party audits and certifications as it pertains to cloud security for the Bank (i.e. SOC, ISO, PCI, etc.).

Other areas Performs other job related duties as assigned such as: Researching, recommending, and contributing to information security polices, standards, and procedures.



#CB
  •

Last updated on Nov 16, 2023