Pay and Benefits:
Salary Range: $75,000 to $95,000 annually
Bonuses: Annual, performance based
Paid Leave: PTO, holidays and select other weekend/holiday extender days
Health and Dental Benefits: Yes
Retirement Benefits: 401(k)
Other Benefits: Group term life, long term care, professional dues and education, professional certification reimbursement program
Qualifications:
At least 2 (2+) years working experience in cyber security, GRC, and cyber related risk management.
Knowledge and awareness of the latest information risk, security and privacy innovations, trends, challenges and solutions.
Exposure to information governance, risk and security standards/frameworks and professional practices (e.g. NIST, ISO, CIS Critical Security Controls, ISSA, InTREx, etc.).
Knowledge of typical enterprise risk and security operational practices.
Knowledge of information security related solutions, tools and utilities.
Bachelor's degree in Business Administration, Computer Science, Information Systems, Engineering, or similar field; or equivalent combination of education and experience.
Professional certifications:
A recognizable and relevant certification is preferred (e.g. CISA, CISSP). If not yet certified, certification is expected within six months.
Job responsibilities:
IT Security Auditors are generally guided by the IT Director in the performance of their job responsibilities but may also be guided by Shareholders. As an IT Security Auditor, you will work as part of a team to assess the security, privacy and risk of clients to provide advice on cybersecurity programs, industry requirements and standards, and to support remediation activities. You should have a strong understanding of framework requirements and the ability to perform assessments and lead interviews, and will be responsible for developing reports for clients. You will work closely with the IT Director to effectively perform engagement work and manage engagement timelines and deliverables.
Key job responsibilities include the following:
- Evaluating clients' policies and procedures related to information security and information systems.
- Testing clients' compliance with policies and procedures related to information security and information systems.
- Evaluating and testing internal controls over clients' information systems.
- Performing information security and information systems risk assessments.
- Reviewing clients' disaster recovery plans, incident response plans, vendor management plans, risk matrices and other technical policies.
- Performing vulnerability assessments of clients' internal and external networks.
- Performing social engineering testing to evaluate clients' internal security awareness training.
- Conducting exit conferences with client staff to outline findings in a concise and professional manner. Be prepared to answer questions and offer recommendations for corrective action.
- Preparing written reports to clients to outline procedures, findings and recommendations.
- Preparing detailed and accurate work papers outlining the scope and results of work performed.
- Advising clients about current developments related to information systems and information risk management.
- Advising clients about regulatory matters impacting information systems and information risk management.
- Serving as an external information security consultant to clients.
Key competencies, skills and abilities to be applied include the following:
- Knowledge of information governance, risk and security standards, frameworks and professional practices (e.g. NIST, ISO, CIS Critical Security Controls, ISSA, InTREx, etc.).
- Knowledge of typical enterprise information risk and security operational practices.
- Knowledge of information security related tools, utilities and solutions.
- Knowledge of information technology and information risk audit techniques and internal control requirements necessary to examine insured depository institution information systems and service providers.
- Exposure to social engineering tests (phishing, vishing, and physical).
- Exposure to Kali Linux and security tools within the distro.
Required competencies for advancement:
As Information Technology Security Auditors progress with respect to the quality and timeliness of their work, and their understanding of client systems, they will be assigned responsibilities of increasing complexity. As Information Technology Security Auditors progress with respect to their understanding of overall engagement requirements and the quality of their assigned administrative tasks, they will be assigned greater responsibilities related to engagement planning, supervision and wrap-up.
The following competencies must be consistently demonstrated before promotion to a more senior auditor position is considered:
Technical
- A recognizable, relevant certification is required (e.g. CISA, CISSP).
- The ability to complete work within established timeframes.
- The ability to complete work accurately, including providing thorough and complete documentation.
- The ability to work independently with limited oversight.
- The ability to timely and effectively communicate engagement issues, concerns and findings to supervisory personnel and others on the engagement team.
- The ability to evaluate the results of work, identify engagement risks related to the work and develop an engagement response to those risks.
- The ability to present findings and recommendations to clients (both verbally and in written reports) in a clear, concise and professional manner.
- The employee must possess sufficient technical knowledge related to the areas in which work has been assigned, and have the ability to assume work of increasing complexity.
Administrative and Professional
- The employee must conduct themself in a professional manner with confidence and ease in the presence of clients, peers and other Fortner Bayens personnel.
- The ability to organize, prioritize and monitor the status of multiple tasks, including timetables.
- The ability to teach job responsibilities and technical knowledge to newer staff, and to direct and review the work of those staff.
- The employee must understand the requirements of various types of engagements.
- The employee must take increasing responsibility for engagement planning, supervision and wrap-up procedures.
- The employee must be familiar with the firm's policies and procedures.
- The employee must understand professional standards and regulatory and legal requirements.
