Information Security Compliance Analyst
General Re Corporation, a subsidiary of Berkshire Hathaway Inc., is a holding company for global reinsurance and related operations, with more than 2,000 employees worldwide. Its direct reinsurance companies conduct business as Gen Re.
Gen Re delivers reinsurance solutions to the Life/Health and Property/Casualty insurance industries. Represented in all major reinsurance markets through a network of more than 40 offices, we have earned superior financial strength ratings from each of the major rating agencies.
Gen Re currently offers an excellent opportunity for an Information Security Compliance Analyst in our Stamford, CT office.
The Security Compliance Analyst is a member of the Global IT Security Compliance team and is a hands-on, support role of the corporate information security program. This includes ensuring compliance program, and IT security policy deliverables, are achieved. Also supports the security policies, processes, tools and standards throughout the organization, through close association with the Global Information Security Group, Internal Audit, Legal, Human Resources, Data Privacy Officers, and other organizations within the corporation, and with designated external partners.
Candidate must have a strong background in technology, security and metrics, and must be highly adaptive. The candidate must be highly collaborative, organized and analytical, and is expected to partner and mentor effectively with other teams on an ongoing basis.
- Identifies policy and process gaps, or breaks, ensures proper segregation of duties, and documents approved exceptions.
- Participates in the drafting, updating, revising and publication of security policies and other security materials.
- Develops, tests, documents, evaluates, tracks, and improves IT compliance controls.
- Performs administrative control reviews and recommends remediation actions and alternative approaches to resolve conflicts.
- Identifies, collects and organizes security incident and event data to produce exception and management reports.
- Supports continuous improvement by developing, operationalizing and maintaining security compliance metrics and documentation. Also provides support for IT Security Compliance requests and incidents.
- Reviews technology platforms, including operating systems, applications, and network devices and vendors to ensure compliance with established best practices, organizational and operational policies.
- Participates in Change Control and Release activities to ensure changes & deployments don’t compromise security controls & policies.
- Maintains the Security Questionnaire database and responds to IT Security Questionnaires as necessary.
- Prepares risk assessments for third and fourth party vendors to advise the business on relevant IT risks associated in using the vendor or technology.
- Participates in the planning and support of penetration testing activities with Internal Audit as well as other IT audit activities.
- Bachelor’s degree in computer science, information systems, or equivalent work experience.
- Professional security management certification, such as a ISC(2) Systems Security Certified Practitioner (SCCP), SANS GIAC Information Security Professional (GISP) is a plus. Experience/Skills (1–5 years)
- Strong conceptual thinking and communication skills – the ability to translate complex business and technical requirements into effective and comprehensible solutions.
- Ability to correlate disparate data sources to produce a complete picture, or view of an event, system, or environment (Connect the dots).
- Working knowledge of various regulations such as SOX, HIPAA, international data privacy regulations such as the European Union General Data Protection Regulation.
- Strong knowledge of NIST and ISO 27000 security practice frameworks.
- Knowledge of security controls (e.g. Firewalls, IDS/IPS, VPN, Web Content Filters, Proxies, DLP, SIEM, Log aggregation etc.) Operational experience with one or more common IT infrastructures (Telecom, database, Windows, Active Directory, LDAP, SMTP, DLP, and *NIX server systems, virtualization platforms)
- Understanding of the Microsoft Office suite to include Access and Viso.
- SharePoint experience to maintain security sites associated with the Security Compliance group.
- The following are not essential, but are highly valued:
- Professional experience or knowledge of application or infrastructure penetration testing
- Basic working knowledge of scripting/programming languages (e.g. Python, Powershell)
- Basic knowledge of cloud security controls and behaviors