Exceed the expectations of our residential mortgage borrowers & business partners through superior service, simple processes, and effective communications. We deliver on this mission by empowering our employees by encouraging and recognizing superior performance and innovative solutions, by promoting teamwork and divisional cooperation.
POSITION SUMMARY
The Sr Information Security Analyst provides first line of defense IT Security services, consultation, leadership and subject matter expertise to businesses and functions on Information Security related matters. They review, design, and develop security operational processes, standards, and procedures utilizing current and new technologies to improve security controls and business performance. The Senior Analyst - Information Security provides input on strategic information security direction that is aligned with corporate business objectives and regulatory requirements.
Direct Reports
N/A
Principal Duties
Subject Matter Expertise - Serves as information security subject matter expert to business areas, project teams and vendors to apply and execute appropriate use of technology solutions and participates in efforts to examine technology vision, opportunities and challenges contributing input with regard to security standards and the impact of the technology.
Security Trends - Continually works to enhance breadth and depth of knowledge and experience. Benchmarks technology strategies and architectures. Monitors and anticipates trends and investigates organizational objectives and needs. Provides guidance on security solutions and prepares benchmarking reports and presentations.
Project Oversight - Assesses project risk and complexity. Performs project handoffs including preparing documentation, educating, and supporting to ensure smooth transitions. Assists with the selection and design of tools that allow reuse of design components and patterns between projects.
Vendor/Tool Selection - Participates in the research, evaluation, proof-of-concept, selection, and implementation of technology solutions. Negotiates with vendors. Provides detailed analysis of pros and cons and build vs buy options. This includes interaction with vendors, IT, and business area contacts to facilitate flexible, and scalable solutions. Ensures that the technical design considers security controls, performance, confidentiality, integrity, availability, access, and total cost. Develops working solutions or prototypes and resolves any issues that arise.
Strategy & Architecture - Implements security strategy, architecture, and tools in accordance with company standards, policies, procedures, and other formal guidance, ensuring security technology standards and best practices are maintained across the organization.
Process Improvement - Promotes implementation of new technology, solutions, and methods to improve business processes, efficiency, effectiveness, and value delivered to customers. Maintains operational, architectural and design documentation including procedures, task lists, and architecture blueprints.
Information Security Risk Management - Assists with information security risk management processes, program, and strategy. Aligns information security activities with NYDFS, SOX, and GLBA regulatory requirements and internal governing enterprise risk management policies. Identifies security gaps and deficiencies by conducting risk assessments; recommend corrective action of identified vulnerabilities and weaknesses. Assists with the planning, testing, tracking, remediation, and risk acceptance for identified security risks. Assists with the creation and publication of internal controls. Ensures requisite compliance monitoring is in place to identify control weaknesses, compliance breaches and operational loss events. Ensures adequate compliance resources and training, fostering a risk and compliance focused culture and optimizing relations with corporate compliance members and regulators.
Due Diligence - Assists with enterprise due-diligence activities including security monitoring and security metrics to evaluate effectiveness of the enterprise security program and established controls.
Incident Response - May assist in conducting security incident response activities and post-event reviews of security incidents. Creates clear and professional documentation of root cause and risk analysis of all findings. Troubleshoots and/or executes action plans for issue resolution. May participate in investigation and contribute to reports of security threats and incidents.
Secure Application Development - Performs highly technical/analytical security assessments of custom web applications, mid-tier application services and backend mainframe applications, including manual penetration testing, source code and configuration review using a risk-based intelligence-led methodology. Identifies potential misuse scenarios. Advises on secure development practices.
Secure Testing - Assists with security testing projects according to a structured process, including writing test plans, test cases and test reports. This may include configuration and deployment of security testing software and application of results to security analysis. Demonstrates basic proof-of-concept exploits of vulnerabilities.
Mentoring - Interfaces with peers and senior leadership, communicates at all levels. Provides guidance to less experienced Information Security team members.
Education and Experience Requirements
Bachelor's degree in Information Security, Information Technology, Information Systems Management, Computer Science, Engineering or related field(s) or equivalent demonstrated work experience.
5+ years of experience in the areas of Information Technology, Information Security, and/or Information Risk Management.
Knowledge, Skill, and Ability Requirements
Working knowledge of:
Windows-based platforms, application, and TCP/IP network security technologies
Information security concepts, principles, and components of a comprehensive information security program
Application Security concepts including common application security issues such as OWASP Top 10
Control frameworks and control objectives
Aptitude for and interest in information and application security
Self-motivated and results-oriented, including ability to prioritize conflicting demands.
Exceptional organizational skills to balance work and lead projects.
Demonstrable leadership and interpersonal skills with experience in mentoring team members
Strong initiative, consensus-building, and ability to collaborate directly and build strong relationships with a variety of internal and external stakeholders (business, development, compliance, etc.)
Strong written communication (writing sample may be requested) and professional verbal communication skills, experienced facilitator, and presenter
Ability to adapt and apply information to new scenarios and technologies.
Additional Preferred qualifications:
Relevant professional certifications or working towards attainment such as: GCIH/GSEC, CISM, CISA, CISSP, CRISC
Knowledge of common web technologies, enterprise, and network architecture
Understanding of:
modern security tools and controls
secure development life cycle methodologies
programming languages or other scripting languages
financial industry regulations such as GLBA, PCI, and SOX
application protocols such as MS-SQL, LDAP, and SSO
data protection controls
applied use of cryptography
Knowledge of or demonstrated experience with defense in depth, trust levels, privileges, and permissions
Knowledge of or demonstrated experience in application penetration testing
Knowledge of or experience in development of mainframe and Unix platforms
Large complex multi-national Financial Services industry related experience
Major Challenges and Role Context:
Fast paced environment requiring execution of multiple simultaneous deliverables.
Indirect reporting structure with conflicting deliverables and timelines.
Influence stakeholder compliance of regulatory standards while managing deadlines.
Working Conditions:
Extended working hours may be required as dictated by management and business needs.
May be required to lift, push, or pull materials weighing up to twenty (20) pounds.
May be required to sit and review information on a computer screen for long periods of time.
May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.
While this description is intended to be an accurate reflection of the position's requirements, it in no way implies/states that these are the only job responsibilities. Management reserves the right to modify, add or remove duties and request other duties, as necessary.
Company Perks : • 15 Paid Time Off (PTO) days and 18 after 1st anniversary! • 9 Paid Holidays • Casual Workplace • Employee Engagement Activities
Company Benefits : • Medical (including Health Savings Account & Flexible Savings Account) • Dental - RX - Vision - Life, Disability Insurance - 401(k) Plan with company match! - Employee Assistance Plan
• Performance-based Incentives • Pet Insurance
• Advancement Opportunities
Newrez NOW:
• Our Corporate Social Responsibility program, Newrez NOW, empowers employees to become leaders in their communities through a robust program that includes volunteering, philanthropy, nonprofit grants, and more • 1 Volunteer Time Off (VTO) day, company-paid volunteer day where all eligible employees may participate in a volunteer event with a nonprofit of their choice • Employee Matching Gifts Program: We will match monetary employee donations to eligible non-profit organizations, dollar-for-dollar, up to $1,000 per employee
• Newrez Grants Program: Newrez hosts a giving portal where we provide employees an abundance of resources to search for an opportunity to donate their time or monetary contributions
Equal Employment Opportunity We're proud to be an equal opportunity employer- and celebrate our employees' differences, including race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, and Veteran status. Different makes us better.
