Freelance Senior Cloud Security Governance Analyst – 12 months
This position reports into the Cybersecurity Services Governance team lead and is pivotal in governance activities over the cloud environment and is responsible for automation/orchestration of administrative tasks, and enforcement of governance policies in our multi-cloud environments. The work will focus on assisting the governance Cybersecurity Center of Excellence to build a strong security governance framework including supporting and enhancing alignment to existing process best practices & standards; driving security-first approach to reduce risk for the company, improve accountability, security, scalability, and increase business agility. Candidate must have experience in information security and have supported or worked with cloud-based systems and applications.
- Will be an active member of an Agile squad focused on building a mature public and private cloud security capability within IT
- Actively monitor security violations and vulnerability reports for cloud applications, perform root-cause and trend analysis, and provide recommendations for security control enhancements
- Implement Cybersecurity Center of Excellence governance objectives in a consistent, repeatable, and automated way across multiple cloud environments with an emphasis on AWS and Azure
- Identify security opportunities and assist in defining the strategies for Identity and Access Management, Key Management, Vulnerability Management, and Data Encryption for cloud solutions
- Contribute to build effective security monitoring, logging, and auditing for DTCC cloud environments. Drives maturity of cloud security services by identifying meaningful outcome-based metrics to highlight cloud related risks
- Work closely with other groups to elevate our posture to cloud services thru improved security and standard methodologies
- Provide cloud governance guidance to business owners, applications development and testing teams, and procurement, and other support groups
- Maintains professional and technical process knowledge by keeping abreast of the latest industry-standard methodologies
- Aligns risk and control processes into day to day responsibilities to monitor and mitigate risk; raises appropriately
- Bachelor’s degree or equivalent experience.
- Minimum 6 years of experience in Information Security GRC (governance, risk and compliance), especially in domains such as Vulnerability Management/Threat Management, Identity & Access Management, Risk Management, Certificate Management, Application Security Management, Security Information & Event Management (SIEM)
- Working knowledge of the AWS Application Hosting services (EC2, containers, serverless, storage, etc.)
- Must have strong knowledge on Cloud Security/Infrastructure and should experience to govern policies and procedures with regards to cloud governance
- Hands on expertise with auditing of cloud environment and ability to assist in defining and updating Information Security Policies/Standard as per industry best practices and regulatory requirements.
- Ability to collaborate and drive discussions with senior personnel regarding trade-offs, best practices, project management and risk mitigation.
- Has deep understanding of risk management principles and standards (ISO 27001/ISMS, PCI, COBIT, NIST) to recommend methods to mitigate risks with standard control mechanism.
- Expertise on performing periodic control gap assessment or internal/vendor security assessment on systems & technologies
- Experience with cloud security monitoring tools such as Dome9 and ability to define and present security risk metrics/data, desired
- Information Security Certifications (CISSP, CISA, CISM, ISO 27001, COBIT, CRISC, AWS Certified Cloud Practitioner, CCSP ) is a plus
- Good to have hands on experience with any of the GRC tools like MetricStream, Archer, ServiceNow, JIRA
The Cybersecurity Services domain protects DTCC from cybersecurity risks through world class security architecture, engineering and governance practices. Cloud Security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of DTCC’s public and private cloud computing remit.