Summary
Information Assurance Analyst analyzes supporting documentation to validate general computer, automated, and operational controls are working as intended and adhere to FFCU’s information security policies, procedures, and controls. The Information Assurance Analyst works closely with internal teams to review security practices, detect potential threats, and provide recommendations for improving the overall security posture of the organization. This role involves assessing security risks, performing audits, and identifying vulnerabilities in systems and processes to ensure compliance with industry regulations and internal security standards. This individual serves as the Internal Audit teams’ subject matter expert (SME) in identifying technology and cybersecurity risks. The role requires attention to detail, strong analytical skills, and a deep understanding of cybersecurity frameworks, standards, and best practices.
Essential Functions
30% 1. Information Assurance Audits – Plan, lead, and execute audits of information security controls associated with FFCU applications and systems on behalf of the Internal Audit and Information Security departments. This includes developing audit plans, conducting audits, reporting on findings, providing recommendations, and monitoring remediation status; as well as participating with the Internal Audit department annual audit plan and IT risk assessment.
15% 2. Operational Security Reviews – Conduct periodic operational security reviews to ensure that critical controls are operating as intended. These may include reviews of traffic flow/firewall configurations, access controls, vulnerability management and other areas as needed.
15% 3. Control Documentation Library – Maintain Information Security Control Documentation and Artifacts library. This library will contain documentation and /or evidence that demonstrates FFCU’s current security control status. This information is utilized for responding to audits and risk assessments.
10% 4. Security Event Management – Monitor information security events for unauthorized or unusual activity. Respond to or escalate events as required. Develop and maintain alerts on applicable security systems. These may include FFCU’s in-house Security Information and Event Management system, Microsoft 365 or other system as required.
10% 5. Configuration and Change Control Monitoring – Monitor compliance of FFCU configuration and change control management processes. This includes conducting system reviews to identify systems not in compliance with approved configuration baselines or changes that did not follow FFCU change control standards. Request and monitor remediation.
10% 6. System Authorization – Ensure that appropriate information security reviews are completed, and that information systems or services are authorized prior to being promoted to production. This may include verification of secure configurations, patching status, required contracting reviews, change requests and other required actions that result in a documented formal system authorization. This also includes ensuring that system or services that have reached end of life are appropriately and completely decommissioned.
Non-essential Functions
10% 1. Perform any other duties as requested by the Director of Information Security or VP of Internal Audit other team members. Embody CU’s mission, vision, and core values. Abide by First Financials policies, procedures, and standards.
Expectations
- Perform essential functions of the position, special projects and other work assignments within timeframes and quality standards established by the Chief Information Officer.
- Possess the ability to work independently within deadlines and manage multiple tasks and projects.
- Must demonstrate good analytical/problem solving, verbal and written communication skills.
- Must be able to multi-task and be a team player and have good time management and prioritization skills.
- Must be willing to work from our main office in Albuquerque, NM.
- Ability to travel out of town as needed.
Qualifications
Education: Bachelor’s degree in related technical or business area. Certifications such as a CISA, CISM, or CISSP are desirable.
Experience: Minimum of 5 years experience in a related Information Technology, Information Security, or audit function.
Knowledge, Skills, Abilities: Must have good working knowledge and understanding of the technologies and concepts supporting the essential functions of the position listed above. Must be able to lift up to 50 lbs. Normal office conditions, but hours & days worked must be flexible based on needs of position; highly concentrated mental & visual alertness, majority of day may be spent sitting, typing & reading computer screen for extended periods, frequent up/down activity, position involves a great deal of physical activity involved w/ maintaining & working on computers.
