This is a 12 month fixed term contract position.
The Senior Security Risk Analyst is a senior individual contributor role, working largely with technical senior stakeholders to test and improve customer and corporate information security controls. The primary focus of the role is technical audit and will review and advise on the efficacy of existing information security controls, in relation to industry standards, regulations and current attestations and certifications.
This role will be exposed to some of the most exciting threat intelligence modelling and cyber security products in the sector, and will have the opportunity to play a key role in the design and implementation of security controls suitable for use in securing government information, including FedRAMP (US), IRAP (AUS) and Cyber Essentials Plus (UK).
To be successful, this role would have a deep technical understanding of cloud and network security technologies, and could advise Engineering, Technical Operations and Product teams on how to document and implement technical and operational controls for cloud security standards. This role reports into the Senior Director of Assurance, Risk and Control (ARC).
Please note that should the candidate be shortlisted; the hiring manager may request to see examples of skills or experience listed as essential or key, and may need to undergo a technical assessment.
- Translate compliance requirements into implementable policies and procedures and review business processes to identify and address potential risks.
- Work with technical stakeholders to design, document and implement technical controls required for a SaaS provider delivering services into the US public sector.
- Partner with senior members of the ARC team in implementing company-wide audit activities in relation to the global Assessment, Certification and Attestation (ACA) program
- Analyse audit logs, pen tests and vulnerability scans for security significance, and work with enterprise risk management (ERM) analysts, to interpret and risk assess in line with ERM policy
- Collect and document technical architecture, operational processes and security policies from multiple internal engineering teams
- Must be able to demonstrate significant experience in the use and configuration of common security tools, including the remediation of vulnerability scan findings, either as an individual contributor or as part of a cross functional team
- College Degree in Computer Science or related field with minimum of 5 years in any of the following; IT security, technical risk management, technical regulatory compliance, or technical audit.
- The candidate must hold any one of the following; Certified Risk and Information Systems Control (CRISC) or Certified Information Systems Auditor (CISA) or other major technical risk / security certification
- Practical knowledge and experience of implementation major security frameworks such as CSA CCM, SOX, SOC, NIST, ISO 27001, ISO 27018, ISO 27701, HIPAA, FedRAMP or DoD SRG.
- Must have knowledge of compliance audit processes and technical risk assessment programs.
- Capable of designing, articulating and testing technical and organisational measures (TOMs)
- Can understand business and cloud security requirements of engineering, product, and cloud infrastructure delivery teams.
- Experience interviewing subject matter experts and using knowledge to develop, edit, and revise documentation including standard operating procedures, system security plans, and policies and procedures.
- Experience with security analytics and analysis, logging, and reporting
Desired Skills and Experience
- Experience with FedRAMP, CJIS, DoD Impact level 4 and above, US healthcare and Education control frameworks would be a distinct advantage
- Manage agency specific Plans of Action and Milestones (POA&Ms)
- Experience with writing, editing, and/or managing a wide variety of IT security documentation and familiarity with security controls associated with the Federal Information Security Management Act (FISMA).
- Continuous monitoring of technical controls in line with the maintenance of an agency ATO
- Knowledge of SSAE18 and ISO audit engagements
- An understanding of Control Objectives for Information and Related Technologies (COBIT)
- Experience working with a Third-party Assessment Organization (3PAO) and the FedRAMP PMO, to achieve agency authorization. Including the interpretation and implementation of a Security Assessment Plan (SAP)
- Experienced in writing technical documentation in line with a NIST Written Information Security Program (WISP). Examples will be required should the candidate be shortlisted
- Experience with the production and/or editing of technical drawings using MS Visio or similar design tools.
- The ideal candidate would hold deep technical knowledge of cloud and network security methodologies, including the design of effective ISP / IDS solutions
- The person would be comfortable working under their own initiative or contributing to a team objective
- Capable of producing quality outcomes whilst meeting demanding deadlines, across concurrent and dynamic work streams
- Open to international travel
- Can work under their own initiative
- Build productive relationships with senior stakeholders
The role is based in Lexington, MA with the possibility of occasional travel to other Mimecast locations.
Mimecast is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or protected veteran status and will not be discriminated against based on disability. Mimecast is also committed to providing reasonable accommodations to individuals with disabilities throughout the interview and employment process, and to use our online system to apply for a position. Mimecast will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information.