Info Security Risk Manager 1 at CHC

• As requested, assist with the development of information security programs, policies and procedures within the Church
• Participate in strategy and culture as a member of the extended leadership of the Information Security and Risk Division 
• With assigned IT portfolio(s), establish and maintain a trusted advisor and partner role with portfolio leaders and staff; be familiar with their objectives, needs and technical ecosystem 
• Communicate risk and/or information security knowledge appropriately to assigned audiences that may include knowledge workers, highly-technical engineering staff, and executive-level leadership 
• Provide information security subject-matter expertise to associated business and technical leaders
• Assist business and technical leaders in understanding, prioritizing and reducing information security risk, including general workforce information protection and handling capabilities
• Facilitate security program compliance and risk-grounded decision making through sound relationships, alignment with partners and professional influence skills  
• Perform and supervise risk assessments with solution, product and engineering leaders; both standardized assessments and specialized assessments of unique technologies, architectures and business technology plans
• Evaluate adherence to and promote information security policies and standards; review compliance or assessment artifacts and deliverables for completeness and accuracy
• Document critical security risk findings in support of fully-informed and proactive decision-making
• Effectively communicate risk and urgency to technical leaders where immediate mitigation response for critical risks is needed
• Coordinate security assessment findings and reports with management, engineers and customers 
• Coordinate application vulnerability and penetration tests; coordinate tests and evidence-gathering activities for solution security certification/compliance validation 
• Evaluate whether sensitive data handling systems and processes comply with Church policies and procedures 

Non-Responsibilities

Describe the major non-responsibilities of this role. What is this role not responsible for and should not do?

• Is not accountable for any given solution’s actual implementation of, and compliance with, security standards and programs. These responsibilities lie with the portfolio and solution leaders.
• In the conducting of standardized and atypical risk assessments, as well as in risk committee validations, evaluates organizational risk and may advise on available options, but does not accept risk for any part of the Church or make any formal decisions regarding the mitigation, avoidance or transfer of risks.  These decisions lie with appropriate technology and business roles.

Education:

• Bachelor’s Degree in Information Systems, Information Technology or equivalent professional experience

Work Experience:

• 8+ years of experience in a core IT technology (e.g., software developer, network engineer, database engineer) where compliance activities or the identification of security risks or code defects were part of the work experience; plus, significant hands-on experience with commercial and open source security tools and products, penetration testing, analysis and project management 

• Minimum of one year of experience in an information security, IT risk, or compliance-related role

Demonstrated Skills & Abilities:

• Ability to identify and assess likely security risks across technical domains like segmented enterprise networks, identity and access infrastructure, symmetric and asymmetric encryption technologies, cloud architectures, insider threats, endpoint protections, securing web applications, and privacy and regulatory

• Ability to work individually and as part of a team with minimal supervision 

• Proven ability to conceptualize, analyze and communicate complex issues and concerns to both technical and non-technical managers and workers

• Proven ability to develop, refine and follow processes

• Must be familiar with security standards and best practices such as those specified by the payment card industry, ISO 27000, National Institute of Standards and Technology, Center for Internet Security

• Excellent communication skills (both written and verbal; this can include multi-lingual abilities)

• Effective communication skills (both written and verbal; this can include multi-lingual abilities) 

• This job operates in a professional office environment

• To successfully perform the essential functions of the job there may be physical requirements which need to be met such as sitting for long periods of time and using computer monitors/equipment
• Ability to understand the security considerations in an internationally-based IT environment and works well with global teams and Areas
• An effective understanding of Application and Code security processes

Specific Degrees, Certifications, Licenses:

• CISSP certification (ISC²) or the ability to attain it as requested

• Prefer one or more of the following recognized IT security certifications: GCED, CISA, CISM, CRISC, CPISA, GWAPT, CIPP (Other technical certifications are also given consideration)