Analyst Cyber Security Senior

Job Brief

Plays a crucial role in supporting the mission of providing affordable, reliable water and power to SRP customers by participating in cyber security initiatives that protect SRP operations. Collaborates with Information Technology and Operational Technology personnel to assess configurations and conditions to recommend cyber security control implementations based on risk to SRP. Coordinates risk and compliance assessments of SRP’s most critical systems to determine if systems are in alignment with cyber security policies. Ensures security remediation is appropriately addressed by business groups and system owners. Collaborates with stakeholders across SRP to ensure compliance with NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) regulations. Applies industry knowledge and experience to advance strategic security objectives while ensuring SRP's business interests are served. Monitors and analyzes relevant trends, regulatory action, and other activities.

Priorities also include consulting and advising business groups, projects teams, and individuals on translating cyber security policies and standards into requirements, ensuring effective cyber security/technology risk management, and guiding appropriate control and compliance activities. Supports risk management activities to identify, rank, prioritize, and follow up on remediation progress to cyber security address risk.

Job Responsibilities

• Advising the CSS Lead - Risk & Compliance on cyber security compliance and risk matters.
• Participating in programs and projects that cross intra-organizational boundaries, requiring the employee to coordinate with organization-wide teams.
• Developing and maintaining cyber security compliance strategies for adherence to SRP applicable standards, including but not limited to NERC CIP, National Institute of Standards and Technology Cyber Security Framework (NIST CSF), NIST Special Publication SP 800-53, Department of Energy’s Cybersecurity Capability Maturity Model (C2M2)
• Communicating, expanding, and contributing to SRP's cyber security compliance and risk management programs.
• Creating reports, presentations, dashboards, and other forms of written and visual deliverables to communicate risk and compliance activity, status, and results.
• Consulting and advising business groups, projects teams and individuals on translating cyber security regulations into requirements, ensuring effective cyber security/technology risk management and appropriate control and compliance activities.
• Conducting cyber security assessment activities for internal technologies/systems and third-party vendors.
• Ensuring security risks are appropriately addressed by following up with business groups and system owners to complete assigned security remediation.
• Informing cyber security leadership of emerging cyber compliance and risk trends.
• Participating in internal technical teams and external industry cyber compliance and risk groups.

Education

Experience

Promotion to level 2 requires a minimum of two years of experience at level 1; demonstrated capability to perform advanced and more difficult work as determined by the supervisor. Promotion to senior level requires a minimum of three-years of experience at level 2; is fully competent in all aspects of functional area of assignment and as such would be recognized as a specialist in area of assignment and may have periodic or occasional lead  responsibilities.

Degree preference for Computer Information Systems, Information Assurance, Computer Science, Cyber Security, Engineering or Business degrees.

5 years professional experience in related field preferred.

Special Licensing Industry security certifications preferred, including:

• CISSP - ISC2 Certified Information Systems Security Professional
• GIAC Certifications (example: GSEC, GSTRT, GCIP, etc.)
• CRISC - Certified in Risk and Information Systems Control
• CISA - Certified Information Systems Auditor

Additional Information

• Experience conducting security compliance and risk assessments, testing controls to determine security risk, and providing recommendations to technology groups.
• Knowledge of, and experience with, cyber security risk, compliance, and control framework implementations (NERC CIP, NIST 800-53, NIST CSF, Center for Internet Security Critical Security Controls (CIS CSC), etc.).
• Ability to analyze conditions/configurations and provide cyber security guidance in a variety of business process and technical scenarios.
• Capable of managing multiple compliance and remediation workstreams and communications, often with overlapping and competing deadlines and priorities.
• Familiar with cloud computing technologies, models, and security strategies.
• Understanding of Industrial Control System (ICS) and Operational Technology (OT) concepts, processes, and functionality.
• Must demonstrate strong communication skills; familiarity with cyber security compliance and risk concepts; and an understanding of cyber security compliance and risk frameworks.
• Experience working with Information Technology and Operational Technology infrastructure components, operating systems, and applications from a security compliance and risk perspective.
• Experience participating in cyber security compliance and risk programs.
• Experience with common cyber security compliance and risk tools, such as Governance, Risk, and Compliance software, is preferred.