Information Security Risk Analyst

About Us

Are you someone who seeks opportunity and has a true desire to grow your career with an organization that has enriched the lives of its clients and communities in the Greater Washington region for more than 150 years? If so, Sandy Spring Bank may be the perfect fit for you!

Sandy Spring Bank is a growing financial services company focused on creating real experiences for our employees, clients, shareholders and communities. We are proud to have been certified as A Great Place To Work, recognized by The Washington Post and the Baltimore Sun as a Top Workplace, by Forbes magazine as the #1 Bank in Maryland. It is our employees who play an integral role in shaping who we are as a company and upholding what matters most to us: people and relationships.

To help us attract the highest quality individuals, we offer a comprehensive benefits package to those who qualify. We offer competitive market salaries, paid time off, multiple retirement savings options, full health care options, life insurance, health care and dependent care flexible spending accounts, career development opportunities, tuition assistance and volunteer opportunities. We are proud to offer those, and so much more, making Sandy Spring Bank a remarkable place to work and build a career.

About The Job

Sandy Spring Bank is currently recruiting for an Information Security Risk Analyst. This role will be reporting to the Manager of the Information Security Risk team, the Information Security Risk Analyst will lead specific information security risk management related activities that protect Sandy Spring Bank and its clients while complying with applicable regulations and SSB policies. The Information Security Risk Analyst provides subject matter expertise and leadership to improve the organization's security policies and security risk management processes by establishing a framework of controls so that the Bank can manage risk, regulatory compliance and maintain governance over all aspects of IT. The Information Security Risk Analyst will have responsibilities to ensure that SSB identifies risks and remediates them in a timely manner while reporting the current level of exposure to known threats. The role includes implementation and maintenance of policies, as well as training and awareness plus vendor risk management responsibilities. The position requires experience of information security risk management in a regulated environment. This role will work closely with second-line and third-line risk leaders.

Areas of focus:

* Perform security risk analysis with the goal of identifying risk and elevating the company's security posture.

* Serve as a subject matter expert and trusted advisor as part of establishing relationships to support risk-based decision making across business, IT and the broader stakeholder community at the Bank.

* Contribute to Information Security reports for Technology Risk Committee and Operational Risk Committee as necessary.

* Lead efforts to track and remediate risk when those risks are determined to have a threat to the Bank's safety, soundness, or reputation. Track risks and issues and ensure their on schedule remediation in alignment with the ERM issues management process.

* Establish and maintain processes for managing security-related audits, control assessments, compliance checks and external assessments across Business, IT and Information Security. Ensure timely and complete responses to evidence requests and compile management responses and remediation plans as needed.

* Emphasize the application of privacy, security, business resiliency and compliance frameworks including but not limited to, FFIEC (Federal Financial Institutions Examination Council), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Service Organization Controls (SOC) 2, PCI-DSS, and ITIL V3/4 processes.

* Evaluate risk and controls by executing targeted testing of first line operated control processes.

* Develop and publish policy, standards and procedures for implementation based on the Bank's risk appetite, industry best practice guidance and based on a detailed knowledge of the regulatory and stakeholder requirements.

* Collaborate with the Enterprise Risk Management team to design and maintain a risk and controls matrix mapped to applicable regulatory and selected framework controls and in alignment with the agreed risk appetite. In addition facilitate a Risk and Control Self-Assessment (RCSA) across IT and Information Security.

* Participate in the vendor risk assessment process and provide security risk assessment services and contract reviews to ensure that third parties meet the Bank's information security control requirements.

* Support the SSB cyber training and awareness program, Cyber Tabletop exercises, Red Team Exercises, ensure all findings are addressed timely via the risk issue management process

* Contribute to and validate metrics used in assessment of security program success and report them regularly to security and business leadership.

Required Skills:

* Minimum of 6 years' experience in one or more information security roles, including security risk analysis and control design, compliance and risk management, security control process assurance or audit of technology controls

* Bachelor's degree in Information Security, Computer Science, Management of Information Systems, or related field required. Master's degree in a related field is an advantage.

• Demonstrated deep background (preferred 4 years) in risk treatment, controls selection and information security controls process design.
  
  
• Direct hands-on experience with information security policies, standards, and industry leading practices is essential.
  
  
• Demonstrated experience working directly with internal audit and regulator teams to satisfy audit requests, present evidence and provide management responses to findings that are identified during the audit or assessment.
  
  
• Demonstrated experience with security processes and technology solutions that align with controls for FFIEC, SOX Section 404, ISO 27001/2, Center for Internet Security (CIS) Critical Security Controls (CSC), or National Institute of Standards and Technology (NIST) 800-53 guidelines is preferred.

* Professional security risk management certification is required, such as a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) or other similar credentials.

* Track record of delivering security governance, risk and compliance projects under tight deadlines.

• Capable of working with diverse teams and promoting a positive enterprise-wide security culture.
  
  
• Demonstrated project management, multitasking and organizational skills.
  
  
• Detail-oriented, with excellent written and verbal communication skills, interpersonal and collaborative skills
  
  
• Self-driven and able to work in an agile team within a large enterprise organization, as well as independently.
  
  
• High level of personal integrity, high degree of initiative, dependability and ability to work with limited supervision.

SPECIFIC PHYSICAL REQUIREMENTS:

Position requires reasonable mobility in and around work area and the ability to operate standard office equipment, personal computer systems, and telephone systems.

WORKING CONDITIONS:

Normal office environment where there is almost no discomfort due to temperature, dust, noise, or other disagreeable elements.

Work includes little or no potential exposure to hazardous conditions.

Must be able to attend meetings at other company locations and seminars in the area. Out of town travel may also be required to attend training and conferences.

The above statements are intended to describe the general nature and level of work being performed by people assigned to this classification. They are not intended to be construed as an exhaustive list of all responsibilities, duties and skills required of personnel so classified.

Sandy Spring Bank provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

If you require a reasonable accommodation to apply for a position, please call our job line at 1-800-399-5919 and select option 5. Requests are considered on a case-by-case basis.

Sandy Spring Bank partners with various job boards to advertise our openings. Please visit our website, www.sandyspringbank.com to confirm the validity of the job posting to avoid any potential fraudulent activity. We encourage and recommend all candidates to apply via our website