What are the responsibilities and job description for the Security Auditor position at SSL.com?
OVERVIEW:
The objective of the Security Auditor is to look at the present and past activities to provide assurance that all activities have been carried out according to set policies and procedures.
Security Auditors create value to SSL.com by assessing its adherence to the applicable requirements, identifying possible discrepancies or areas for improvement, analyzing root causes behind facts and making recommendations. Their stabilizing role is also valuable for the security, reliability and quality of the SSL.com products and services, thus for customers and relying parties.
KEY RESPONSIBILITIES:
Specific responsibilities include but are not limited to:
- Performs internal audits and reviews, including quarterly certificate audits to verify compliance with the applicable policies and standards.
- Witnesses and attests proper preparation and execution of compliance or security-sensitive operations, such as PKI ceremonies, handling of cryptographic material, data center visits, etc.
- Participates in the investigation and analysis of possible security events, including the collection and review of audit evidence (e.g. audit logs, records).
- Effectively communicates audit issues to the department’s manager and staff personnel within the area under audit review through the timely issuance of discussion issues and audit reports.
- Assists and manages security incidents according to SSL.com’s Incident Management Policy.
- Serves as a point of contact for external entities regarding SSL.com compliance and security issues, including coordinating with penetration testing teams and representing SSL.com in public bug reports and/or with well-known browser vendors.
- Participates in external audits and coordinates with the internal departments/trusted roles for the proper preparation.
- Evaluates the security posture of SSL.com, its products and services, identifying possible risks and remediation measures, in collaboration with fellow auditors, compliance officers and subject matter experts.
- Assesses the IT/compliance risks within the organization, and evaluates the adequacy and effectiveness of the controls in operation to mitigate those risks, in collaboration with fellow auditors, compliance officers and subject matter experts.
- Proposes controls, improvements, or changes to continuously improve the compliance level of SSL.com and the efficiency of existing processes, including the auditing and monitoring tools and methodologies.
- Attends formal and informal training sessions and self-study to keep abreast of information technology concepts, industry best practices, security technologies, auditing standards, practices and tools, as well as interpersonal skills.
- Performs other compliance and audit-related functions, on an as-needed basis, as directed by Compliance and Security Auditing Manager.
Security Auditors are not responsible for setting or maintaining the necessary policies and procedures to adhere to the applicable requirements; this is a Compliance Officer task.
QUALIFICATIONS:
The Security Auditor reports to the Compliance and Security Auditing Manager and collaborates with fellow auditors, compliance officers and subject matter experts from all teams in the context of audits, investigations or assessments. Security Auditor is a Trusted Role and thus is subject to provisions of the SSL.com Trusted Role Policy.
Education:
- Bachelor's Degree in information technology, computer science or a related field required
- Four years of related experience can be used in lieu of a Bachelor’s degree.
Work Experience:
- Two or more years of business experience in Information Security / IT auditing
Skills and Abilities:
- Verbal and written fluency in English.
- Ability to read, interpret and comprehend complex documents such as contracts, standards, policies, processes, and procedures.
- Experience in methodologies, concepts and tools to audit IT systems and information security management systems.
- Experience in risk management methodologies, concepts and tools.
- Objectivity, sound judgment and fair assessment / decision making.
- Attention to the details and nuances of policies, standards and processes.
- Commitment to tasks, persistence in overcoming obstacles and dependability in difficult circumstances to get results.
- Good human and communications skills to collect the information required, engage subject matter experts and drive the audit process.
- Analytical ability to identify the different aspects of each issue, deepen the analysis in critical areas and extract essential information and conclusions.
- Proficient working knowledge of information technology concepts, practices, terminology, and standards, with ability to actively conduct and/or engage in discussions relative to all assignments. This also includes demonstrated ability to document technical matters and/or or complex concepts in a manner that is meaningful to the intended recipients.
- Knowledge of PKI concepts, Trust Services, Certification Authorities and/or Root Store Programs a plus.
Licenses and Certifications:
- Certification such as WebTrust auditor, ETSI auditor, CISA, CCAK, ISO 27001 Lead Auditor
- Any relevant licenses and/or certifications (e.g. CISSP, COBIT, ITIL, CDPSE)