Senior Cybersecurity Compliance Analyst

Definition

Definition: Under the general supervision of the Cyber Security Manager, the incumbent will be responsible for ensuring IT compliance with IT Risk Management, Cybersecurity, Governance, and Operational Program guidelines. The role involves participating in establishing and maintaining compliance guidelines and program procedures. As a member of the cybersecurity team, the individual will be responsible for completing regular assessments of audit and compliance adherence across the organization. The incumbent serves as a leader to the IT organization to ensure that we meet the requirements and expectations of customers and agencies that the SRPMIC partners with to provide services to the Community. This job class is treated as FLSA Exempt.

Essential Functions: Essential functions may vary among positions and may include the following tasks and other characteristics. This list of tasks is ILLUSTRATIVE ONLY and is not intended to be comprehensive listing of tasks performed by all positions in this classification.

Examples of Tasks

1. IT Compliance Program: Develops and manages the IT Compliance Program.

• Ensures organizational compliance with required laws and standards, including but not limited to HIPAA, FERPA, PCI, NIST, SOC, and operational standards such as DevOps security.
• Ensures the IT organization completes environmental risk assessments and evaluates operations to ensure they meet the organization's accepted risk tolerance level.
• Ensures consistency in meeting the established control processes.
• Reports compliance program performance to IT Executive Management and Governance.
• Establishes, maintains, and enforces compliance operating policies for organizational information, applicable security procedures, and support practices to ensure the quality of compliance services provided.
• Identifies potential areas where existing policies and procedures require change or where new ones need to be developed within the IT organization to meet compliance goals.
• Participates in breach event management and is responsible for ensuring that the assigned event coordinator completes the incident response procedures, including the breach mitigation process.
• Manages software consultants, vendors, and contract management for security and audit vendors.
• Serves as project manager for various projects as necessary and is responsible for adhering to the established project management methodology.
• Works with resource managers to allocate resources and prioritize work schedules to accomplish project milestones and deadlines.

2. IT Risk Program: Manages the IT risk assessment program.

• Provides reports to the IT Director/CIO and other members of the senior leadership team.
• Reviews compliance with the information cybersecurity policies, controls, and associated procedures.
• Ensures new risks are identified and mitigated in a timely manner.
• Ensure the Community systems and users adhere to required cybersecurity standards and
• contractual agreements made with agencies and entities.

3. Compliance Governance: Responsible for monitoring framework of standards, processes and activities for the compliance program and adjusts to incorporate new controls to address emerging risks, redesigning weak control processes and developing training programs to improve security awareness among employees.

• Provides cybersecurity presentations.
• Completes cyber risk assessments and studies with analysis and recommendations.
• Provides cybersecurity consultation services.
• Provides cybersecurity training.
• Effectively communicates strategy and operational plans to executives and staff.

4. Leadership: Provides compliance leadership to the cybersecurity and operations team staff to ensure organizational compliance with multiple audit agencies and cybersecurity control frameworks implemented by the SRPMIC.

• Responsible for leading the IT organization in the continuous improvement of the IT Compliance Program. Serves as the primary contact for audit coordination, facilitating written responses to audit findings and developing mitigation plans with key stakeholders.
• Promotes shared responsibility across the IT organization through education and program development.
• Develops and communicates cybersecurity strategies and plans to the management team, staff, partners, customers, and stakeholders.
• Forms partnerships that help drive the IT compliance strategy forward.
• Responsible for effective communication with IT teams, customers, and entities involved in audits and the effective operation of the compliance program.

5. Vendor Security Compliance: Maintains relationships with vendors to ensure compliance with security standards and deliverables.

• Conducts vendor security assessments to ensure compliance with SRPMIC policies and standards, evaluating a vendor's security practices, controls, and overall compliance with SRPMIC's established security guidelines.
• Identifies and collaborates with IT teams to propose mitigation options when needed.
• Maintains a strong relationship with vendors, ensuring they stay up to date with any changes to SRPMIC's security policies and standards, including maintaining a vulnerability management program and incident response plan that meets organizational guidelines.
• Ensures appropriate data management and handling of SRPMIC data.

6. Miscellaneous: Performs other IT job related tasks as assigned by the Cyber Security Manager, IT Assistant Director - Enterprise Architecture, or IT Director/CIO.

Knowledge, Skills, Abilities and Other Characteristics:

• Knowledge of the history, culture, laws, customs and traditions of the SRPMIC.
• Knowledge of IT security system configuration, administration and maintenance.
• Knowledge of up-to-date cybersecurity system architecture, technical cybersecurity standards and industry best practices.
• Extensive knowledge in enterprise security architecture design and enterprise security document creation.
• Knowledge of CIS Critical Controls and NIST control sets.
• Knowledge of SAS Controls and Audit procedures.
• Knowledge of the development and maintenance of an organizational Cybersecurity Plan.
• Knowledge of cybersecurity best practice standards.
• Knowledge of HIPPA, HIPPA HiTech, PCI and FERPA compliance.
• Knowledge of incident response processes and procedures.
• Knowledge and understanding of project management principles.

• The skill to learn and adapt to the Community needs, style and organizational expectations for conduct and responsiveness
• Ability to adapt to a fast-moving IT landscape and keep pace with latest thinking and new security technologies
• A passion for technology and security safeguarding with a desire to deliver
• Skill identifying and working with third-party vendors.
• Skill developing Requests for Proposals (RFP).
• Skill assessing the impact of new service requests for products and systems.
• Skill providing problem investigation, troubleshooting and problem resolution.
• Skill establishing and maintaining effective working relationships with peers, business partners, customers, vendors and supervisors.
• Skill with excellent verbal and written communication.

• Ability to communicate to all levels of the organization from executives to technical staff.
• Ability to develop and enhance IT policies, procedures and best practices.
• Ability to project manage complex project and initiatives.
• Ability to adapt to a fast-moving IT landscape and keep pace with latest thinking and new security technologies
• Ability to perform cybersecurity reviews and coordinate the proper, effective and timely corrective action.
• Ability to provide enterprise cybersecurity strategy, cybersecurity risk and data privacy information and education in a concise and comprehensible manner.
• Ability interpreting the applicability of local and federal laws/regulations as applies to secure company operations. In particular, experience with FedRamp and NIST 800 requirements.
• Ability to assess Business Continuity Plans and Disaster Recovery Plans.
• Ability to assess the administration of the Community's data cybersecurity awareness program.
• Ability to provide vision, forward-looking insight and leadership regarding strategic infrastructure and data security issues.
• Ability to utilize problem solving techniques, improvisation and creativity to accomplish goals.
• Ability to analyze data, draw logical conclusions and make sound decisions and recommendations.
• Ability to work in a team environment.

Minimum Qualifications

Education:A Bachelor's degree from accredited college or university in Information Audit and Compliance Management, Information Systems, Management Information Systems, Computer Science or a related discipline.

Experience: Five (5) years of direct work experience in Infrastructure Security Management and IT Cybersecurity Industry Best Practices required.

• Five (5) years of demonstrated expertise performing the following 5 tasks required:

Managing a technology risk management program.

Completing technology audit and compliance assessments.

Experience in the cybersecurity aspects of multiple platforms, operating systems, software applications and databases.

Excellent interpersonal, communication, organizational, and project management skills and strong judgment and analytical ability.

Established and managed governance and compliance boards.

• Five (5) years full time experience demonstrating expertise performing the following tasks required:

Completing technology risk assessments.

Completing a risk mitigation plan and managing project to complete the established plans.

Establishing the objectives and overseeing the implementation of corporate or government Technology Compliance program.

Establish the objectives and overseeing the implementation an organization's compliance policies and associated training/infrastructure to support privacy policies.

• One or more of the following certifications is preferred:
• International Information Systems Security Certification Consortium (ISC)2 Certifications
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Advanced Certificate in Internal and Information Technology Audit

Equivalency: Any equivalent combination of education and/or experience that would allow the candidate to satisfactorily perform the duties of this position, will be considered.

Underfill Eligibility: An enrolled Community Member whom closely qualifies for the minimum qualifications for a position may be considered for employment under SRPMIC Policy 2-19, Underfill.

Special Requirements

• May be required to work outside normal business hours including nights, weekends and holidays. All applicants applying for jobs will be subject to Pre-Employment Drug Test and extensive Fingerprint and Background Check. In addition, all employees providing services to a campus with children will be subject to the "Community Code of Ordinances", Chapter 11 "Minors", Article X. "Investigation of Persons Working with Children", random drug testing and completion of a background check every five (5) years.

Prior to hire as an employee, applicants will be subject to drug and alcohol testing. Will be required to pass a pre-employment background/fingerprint check.

"SRPMIC is an Equal Opportunity/Affirmative Action Employer" Preference will be given to a qualified: Community Member Veteran, Community Member, Spouse of Community Member, qualified Native American, and then other qualified candidate.

In order to obtain preference, the following is required: 1) Qualified Community Member Veteran (DD-214) will be required at the time of application submission 2) Qualified Community Member (must provide Tribal I.D at time of application submission),3) Spouse of a Community Member (Marriage License/certificate and spouse Tribal ID or CIB is required at time of application submission), and 4) Native American (Tribal ID or CIB required at time of application submission).

Documents may be submitted by one of the following methods:
1) attach to application
2) fax (480) 362-5860
3) mail or hand deliver to Human Resources.

Documentation must be received by position closing date.
The IHS/BIA Form-4432 is not accepted.
Your Tribal ID/CIB must be submitted to HR-Recruitment-Two Waters.

Benefits:

The SRPMIC offers a comprehensive benefit package including medical, dental, vision, life, disability insurance, and a 401(k) retirement plan. In addition employees enjoy vacation and sick leave and 13 paid holidays.