Security Controls Assessor
The Information Security Governance, Risk Management, and Compliance (ISGRC) department helps support the College Board by maintaining and enforcing security policies, standards, and developing a security aware culture throughout the enterprise. All information security training, security governance, risk management, business continuity, and compliance activities (like ISO 27001, PCI-DSS, and SOC2) are run by the ISGRC function.
As a member of the risk management team, the Security Controls Assessor’s (SCA) role is to perform information security-based audits and security controls assessments for all College Board enterprise systems. The SCA performs final gate security checks for IT systems to ensure that all the requisite controls are in place prior to the system going live and annually thereafter. These risk management activities are core to the College Board’s way of doing business and in building our next generation systems. In this role, you will build partnerships with the Information Technology and Operations teams to enhance security compliance for the College Board and its operations.
This is a hands-on role where the Security Controls Assessor must work with a combination of executive, technical, and non-technical staff members.
- Performs a three-tiered approach to security controls assessment including: technical reviews, documentation reviews, and staff interviews.
- Translates security assessment outputs (e.g. vulnerability reports, weaknesses, etc.) into actionable compliance requirements and definitions.
- Provides analysis of security controls to ensure that they are implemented correctly, operating as intended, and producing the desired result.
- Collaborates closely with other departments to ensure that the information security compliance requirements are met.
- Supports and utilizes security compliance tools and technologies such as: RSAM, Modulo, RSA Archer, and similar capabilities.
- Other duties as assigned.
- Bachelor’s Degree in Computer Sciences, Business Management, or equivalent prior work experience in a related field.
- Five to seven (5-7) years of experience in a computer related field, with at least three (3) years’ experience in Information Security or information risk management in an enterprise setting
- Excellent oral and written communication skills, with the ability to present and discuss technical information in a way that establishes rapport, persuades others, and gains understanding.
- Demonstrated experience in information security compliance activities for a cross-functional team with the proven ability to support and manage multiple security compliance activities for technical teams is required.
- Understanding of and ability to apply information security compliance requirements from frameworks such as ISO 27001, SOC, COBIT, PCI-DSS, NIST CSF/NIST 800-53, etc.
- Current Information Security Certification (e.g. CISSP, CRISC, CISM, CISA, or related security certification) preferred or the ability to attain one within 6 months of hire.
- PCI-ISA, CISA, or similar certification highly preferred.
Related Skills & Other Desired Skills:
- Working knowledge and understanding of multiple applications, databases, and operating systems security (For example, Windows Server 2008/2012; Windows 7/8/10; Linux; and their implementation in AWS or Azure).
- Confidence and supportiveness as a member of security teams with a “can do” attitude.
- Ability to work outside of standard business hours (evenings, nights, or weekends) as needed or required particularly during urgent delivery times.
- Ability to gently influence security risk thinking and business approaches.
- Requires use of a wireless handheld device with messaging capability.
- This position will be subject to successfully passing a background check.
- Excellent problem solving and analytical ability.
The College Board is dedicated to the principle of equal opportunity and its programs, services and employment policies are guided by that principle.