The Application Security Risk Manager (ASRM) is responsible for managing the organization’s information security risks, ensuring that security risks affecting the organization are known, evaluated for significance, appropriately communicated, and effectively addressed through the application of appropriate security controls and processes. The ASRM manages the security risk register and champions the timely resolution of security risks.
Essential Job Functions:
• Drive the comprehensive and successful execution of the organization’s infosec risk management program in an efficient and effective manner.
• Assess, investigate, triage, prioritize, track, verify, and promote the timely resolution of security risks.
• Operate, maintain, and enhance the organization’s GRC infrastructure (Rsam)
• Assess and monitor applications for security vulnerabilities. The ASRM is responsible for applying appropriate tools and techniques to identify vulnerabilities in software and systems.
• Correlate and analyze data such as vulnerability and threat service feeds, security tool output, and configuration management system data to identify and evaluate potential infosec risks.
• Monitor and maintain security controls to ensure effective operation.
• Assess third party risk using established methodologies.
• Prepare and deliver written and verbal communications in a professional and persuasive manner. This may include security assessment reports, status reports, training briefings, etc.
• Manage third-party services, such as penetration tests, including vendor evaluation/selection and execution.
• Participate in, and support initiatives as directed by departmental management.
Education/Experience Requirements:
• Bachelors of Science in Computer Science, Information Technology, Risk Management, or related field; concentration in information or software security a plus.
• Five years’ professional experience in successfully executing the essential job functions of this position. Advanced degree may be considered to partially meet this experience requirement. Experience managing small teams a plus.
• Professional technical experience working with a substantial segment of the following tools, technologies, and processes to promote, monitor, analyze, and validate IT system security:
Highly Desirable
o Execution of a successful vulnerability monitoring and risk management program, to include risk identification, risk evaluation/triage, consensus building where needed, reporting and communication, and remediation verification.
o Configuration and operation of a professional GRC system, particularly Rsam IT Risk Management tool.
o Experience performing data analysis in support of risk analysis and management. Good knowledge of SQL or comparable language, with an ability to efficiently correlate and analyze data from disparate sources (SQL databases, desktop databases, simple files, etc. Experience scripting with Python or Perl a plus.
o Mastery of MS Office Tools (Excel, Access, PowerPoint, Word)
Also Desirable
o Development languages/environments such as C#/.NET or J2EE, including familiarity with their native security services and common deficiencies. Experience as a software developer in these technologies as well as client-side technologies such as GWT, YUI, and JQuery is a significant plus.
o Web vulnerability and code assessment tools such as, AppScan, WebInspect, and Fortify.
o Configuration, tuning, and administration of operational security controls, such as Imperva Securesphere, Voltage, and Vormetric.
• Excellent technical writing, documentation development, process mapping, and visual communication skills.
• Strongly collaborative, with excellent interpersonal and verbal communication skills.
• Effective leadership, collaboration, and team skills, including the ability to deal effectively with people, resolve issues, and support and champion change.
• Financial services industry experience a plus.