Security Risk Assessment Specialist

Full Time
San Francisco, CA
Areas of Interest: Vulnerability Assessment and Management
report a problem

We’re working to make financial progress possible for everyone.
See how you can help over 60 million people take control of their credit.
Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual engineer, everyone views security as a personal responsibility. Your unique mission within GRC for Security is to capture and surface security risk to technology and business owners in a collaborative and actionable way.

What Will You Do?

  • Act as a GRC subject matter in at least 2 of the following areas: application security, pen-testing, vulnerability management, access management, configuration management, authentication and encryption techniques, secure development lifecycle (SDLC).
  • Perform all types of security risk assessments to identify and quantify cyber-security risks and suggest mitigation controls and remediation plans according to  security regulatory requirements such as: NIST 800-53/ ISO27001/ MS-SDL.
  • Provide analysis and continuous improvement of the GRC tool capabilities by supporting risk inventory intake from various risk sources such as: GRC tools, vulnerability scanners, pen testing activities, risk assessment processes, and other primary sources of risk information.
  • Interpret controls and risk information and provide recommendations to improve security processes and related controls.  
  • Assist in development of policies and procedures that will help Credit Karma to adopt a risk-based mentality toward all day-to-day activities.

What’s Great About It?

  • Carrying out two positive missions at the same time: helping people take back control of their credit and helping to keep their personal information safe.
  • Solving security problems at scale in a highly technology-focused team, with a culture of “how to do this safely”, not a culture of “no”.
  • Spending way less time convincing anyone why security is important and way more time talking about how to manage risk effectively - the importance of security is woven into our DNA already!

What We're Looking For:

  • BA/BS combined with 2+ years of experience across subject matter related to GRC, information security and/or technology compliance.
  • Working knowledge on at least two of the following security areas: pen-testing, vulnerability management, access management, configuration management, encryption techniques, secure development lifecycle (SDLC), cloud security, 3rd party security.
  • Proficient working knowledge of at least two governance IT controls frameworks such as: NIST 800-53, ISO27001, PCI, STIGs, BSIMM/MSSDL, and SOX.
  • Strong documentation and communication skills on both a business and technical level
  • A fun and positive attitude!

Bonus Points:

  • Working knowledge of information security risk management and risk assessment methodologies.
  • Working experience in Application/Network Pentesting, Vulnerability Scanning, SOC.
  • Experience evaluating audit reports, network penetration test results, and system/application level security assessments.
  • Security industry certifications: CISSP, CISM, CISA, CCSP, CCSK.

Share this job:

Credit Karma

With over 60 million members, Credit Karma is working to make financial progress possible for everyone. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.
Visit Credit Karma's Social Media pages:
Company Industry: Consumer Services
Company Type: Public Company
Company Size: 201-500