Information Security GRC Analyst - Application Sensitivity Assessments

Job description

Responsibilities

Application Sensitivity Assessments

·  Act as the lead for all Application Sensitivity Assessment matters to ensure the bank identifies the most critical applications
·  Perform all required activities to ensure that Assessments are completed and timely and with quality including coordination with Application Managers and Owners
·  Coordinate with the Paris Data and Cybersecurity (DCS) team to perform global ASA assessments
·  Collect and automate (whenever possible) necessary elements to complete ASAs
·  Act as a subject matter expert and advisor with regards to application sensitivity for all stakeholders

Application Risk Heatmap

·  Act as the lead for all IT Application Risk Heatmap matters
·  Update the heatmap timely (e.g.) quarterly with control status input from the various control and business owners
·  Execute the defined workflow and remediation steps to address all control gaps that are identified as part of the process
·  Collect and automate (whenever possible) necessary elements to update the heatmap
·  Coordinate with the IT Risk department to report results and follow up on control gaps identified
·  Review the effectiveness of controls and perform testing of controls
·  Support the threat framework activities including metrics, research, and documentation

Metrics, KRIs, and KPIs

·  Coordinate with all team members in the DCS organization to contribute to security GRC metrics, OKRs, KRIs, and KPIs
·  Contribute to the security GRC component of the bank's GRC portal (Archer) in line with our security GRC framework
·  Lead efforts to automate generation of metrics and reduce manual processes
·  Contribute to the reporting framework to provide regular metrics and statistics about our business and IT environment; analyze trends in security events, activities, etc., to better understand risks, report security metrics and statistics to the Director of Security GRC
·  Information Security Awareness Campaign and Training
·  Contribute to the development and delivery of security training and provide advice other non-security professionals, including staff in the business units

Profile Required

Knowledge and Experience

·  4-6 years' demonstrable experience in Information Security, security GRC, security project management, security policy management, and other security practices
·  Proficient with MS Office, project management software, and at least one GRC tool (highly recommended)
·  Solid understanding of common security tools (e.g., vulnerability scanners, firewalls, IDS/IPS, AV software) preferred
·  Requires strong analytical skills, problem solving skills, and project/program management skills
·  Solid training in computer disciplines such as application and data security, systems programming, systems design, computer technology or software disciplines
·  Hands-on experience with performing GRC program functions
·  Excellent communication skills

Education/Certifications

·  Bachelor's degree or equivalent business experience in Computer Science, Business Management, or MS required
·  Certified training in security management, risk and compliance solutions and practices
·  CISSP, CCSP, CISA, CISM, GSEC, CRISC, or related certification(s) required

Business Insight

The Information Security GRC Analyst performs Application Sensitivity Assessments (ASA), leads the Application Risk Heatmap process, assists with the creation and generation of Documentation, Reporting, and Analytics, and assists with the creation and delivery of Information Security Awareness Campaigns and other training programs. The position is hands-on and requires strong project management skills and tactical execution. The position requires a solid knowledge of the regulations (e.g., FFIEC, FDIC, SEC, DFS500) and best security practices (e.g., NIST, ISO) applicable to the financial industry. It is essential that the candidate be able to demonstrate practical and in-depth knowledge of security GRC practices and processes including the use of GRC tools such as Archer, reporting tools such as Tableau.

The ideal candidate is proactive and has a successful track record with execution of programs. The Information Security GRC Analyst is a member of the Security GRC Team and reports to the Director of Security GRC. This position is transversal and requires strong collaboration across the organization (regionally in the Americas and globally with our HQ in Paris).

We are an equal opportunities employer and we are proud to make diversity a strength for our company. Societe Generale is committed to recognizing and promoting all talents , regardless of their beliefs, age, disability, parental status, ethnic origin, nationality, sexual or gender identity, sexual orientation, membership of a political, religious, trade union or minority organisation, or any other characteristic that could be subject to discrimination.

Job code: 20000216
Business unit: SG AMERICAS OPERATIONAL SECURITIES
Starting date: Immediate
Date of publication: 01/02/2020