Sr. Information Security Analyst
UPS Has A Wide Range Of Roles To Help Your World Work Better.
We’re the obstacle overcomers, the problem get-arounders. From figuring it out to getting it done… our innovative culture demands “yes and how!” We are UPS. We are the United Problem Solvers.
About Information Security at UPS Technology:
Our top-notch Information Security team quickly finds and responds to real time threats. These critical-thinkers have a hunger to keep ahead of new exploits and security trends. They protect the vast trove of valuable data that passes through our servers each day. As a part of UPS InfoSec, you’ll continue to uphold our reputation for integrity in this growing and ever-changing field.
The Senior Information Security Analyst in Risk Management identifies, investigates, analyzes, and recommends information security guidance to ensure enterprise IT confidentiality, integrity and availability while assessing against technical, administrative and physical risks. The Analyst will conduct professional security assessments and evaluate the effectiveness of existing and planned IT security controls. The Analyst will evaluate IT project and business requirements and report and recommend effective IT security controls to ensure effective security and compliance with enterprise standards. The Analyst communicates security issues and control gaps through security governance processes. The Analyst participates in the planning, development and analysis of IT related risk assessments which include, security controls, business continuity planning, regulatory and policy compliance and threat modeling for company, data, systems, networks, assets, and processes.
The Analyst must have the ability to interact with business stakeholders and technical personnel at all levels; experience organizing, participating and executing critical projects with short time spans; experience interacting with project managers, vendors, architects, technical experts and management. Ability work effectively with limited supervision with business and technical personnel at all levels of the organization. Effective at managing personal time and effort across multiple concurrent project assignments. Background in information security risk management with a minimum of 2 years’ experience developing and executing security risk assessments using industry standard approaches such as ISO 27001, CoBIT, NIST, Shared Assessments or SSAE 16 with preferred experience in professional security risk assessment documentation including residual risk identification. Broad background in Information Security with 5 to 10 years of experience in Information Technology development or infrastructure support.
Gather Supporting Data for Security Risk Assessments
- Conduct Security Risk Assessments as assigned. Determine data and asset sensitivity, understand the business requirements, objective and business impacts related to the IT System Solution. Gather data usage information using security questionnaires, meetings, and conducting direct one on one question answer sessions with project/solution stakeholders
- Determine the scope of the assessment, the parties that will need to be solicited for information, and the best avenue to solicited required information for analysis
- Review needs for regulatory, contractual and architectural input, concerning PII, PCI, HIPAA, FAA, DOT, DOD, GDPR, SaaS, IaaS, PaaS, and others that apply to the solution or application
Determine Security Controls Appropriate for Assessment Scope
- Analyze information gathered from control questionnaires, network and traffic flow diagrams, technical documents, and interview notes from project meetings to determine inherent risk
- Review the existing security controls, controls planned, and controls that are missing based on expert analysis and use of security frameworks, regulations, and policies that apply
- Utilize knowledge of security engineering concepts related web services, security controls, cloud technologies, mobile technologies, traditional infrastructure, software development
- Utilize knowledge of security frameworks, regulations, contracts and policy to ensure all security aspects of the solutions have been addressed and controls are defined
- Utilize knowledge of information security threats, vulnerabilities, exploits, attack trends, intelligence briefings, anticipated future security concerns, cloud concerns, mobile concerns, social engineering
- Document the security controls gap observations in the existing control sets plan, adding targeted mitigation or remediation controls targeted to address the security gap to achieve an acceptable security baseline
Communicate the Information Security Control Gaps & Recommendations
- Conduct security reviews and discussions with project management and technical experts to explain the recommended security control adjustments and reasons required for baseline security
- Work with project managers and key stakeholders to communicate company policy, security best practice, legal regulations, and contractual elements driving security controls
- Provide examples of control failures to ensure the concept of defense in depth is properly applied and points of failure are highlighted, especially single points of failure
- Review security controls adjustment responses for the project team, and determine if risk is to be mitigated, remediated via compensating controls or accepted as residual risk
Create Executive Level Security Risk Assessment Reports
- Prepare formal security risk assessment reports with executive summaries of residual risk, the details of the assessment, scope, analysis, mitigation controls proposed and adopted, and impact of residual risks.
- Communicate and brief management team up to the Security Director and Senior Security Officer level explaining the potential risk associated with the solution including possible business impacts
- Ensure risks are identified and defined properly and they are useful for decision making.
- Review inherent and residual risks with Information Security Management Team to ensure business objectives are not negatively impeded by risk.
Retain, Track, Update, and Report Status of Security Risk Assessment Efforts
- Retain, all documentation related to the Security Risk Assessments in accordance to security procedures designed to protect and ensure confidentiality of the information
- Track project risk assessment status and document status updates, develop security life cycle management plans as needed
- Report overall project and portfolio risk status to the stakeholders, information security management, and ensure impediments or critical situations are highlighted and made known for assistance
On-Going Education, Skillset Enhancement, Security Professionalism
- Utilize company supplied resources from internal CBTs, Libraries, to external training opportunities, enhanced by required certification as applicable, ie: ISC2, SANS, ISACA…
- Contribute knowledge and recommendations for risk based assessments on emerging technologies, vulnerabilities, threats, and associated risks (examples cloud, mobile, containerization)
- Develop opinion papers, technical reviews, security awareness articles to share knowledge and improve the overall security culture of the company and global security community
- Obtain experience knowledge related to the various aspects of the company’s lines of business to enhance impact understanding of potential technology risks
- Participate in professional information security organizations such as ISC2, ISACA, ISSA, InfraGard, OWASP, as leaders, teachers, speakers to increase networking and community involvement
Preferred certifications: CISSP, CRISC, CCSP, CSIM, CISA
The desired Senior Information Security Analyst will possess a degree in Information Systems, IT Management, Risk Management, Auditing, Computer Science, or related field or the equivalent in education and work experience.
This position offers an exceptional opportunity to work for a Fortune 50 industry leader. If you are selected, you will join our dynamic technology team in making a difference to our business and customers. Do you think you have what it takes? Prove it!
UPS is an equal opportunity employer – race/color/religion/sex/national origin/veteran/disability/sexual orientation/gender identity
Logistics, Distribution, Freight, International Trade Management, Express Package Pickup, Delivery & Tracking Data
Company Type: Public Company
Company Size: 10,001+