Job Description

Serve as an embedded information security and IT risk advisor and subject matter expert to one or more of the business unit IT groups of the Church. This includes supporting and enabling the implementation of security programs and controls, advising on the risk implications of architecture and design decisions, and assisting with the design and validation of risk reduction efforts within the assigned group.


Information Security Risk Managers also participate as experienced evaluators on a committee that identifies, documents and evaluates technology risks for the Church- so that policy, programs and strategic technology decisions can be informed by comprehensive and reliable assessment of risks.


Effective performance of these two purposes requires a combination of effective relationship management skills and a broad understanding of technology, business processes, and how they interplay in an enterprise to create and manage IT risk.


This individual works with divine guidance to provide or support technology that furthers the mission of the Church and reflects the eternal impact of the gospel.



As requested, assist with the development of information security programs, policies and procedures within the Church Participate in strategy and culture as a member of the extended leadership of the Information Security and Risk Division With assigned IT portfolio(s), establish and maintain a trusted advisor and partner role with portfolio leaders and staff; be familiar with their objectives, needs and technical ecosystem Communicate risk and/or information security knowledge appropriately to assigned audiences that may include knowledge workers, highly-technical engineering staff, and executive-level leadership Provide information security subject-matter expertise to associated business and technical leaders Assist business and technical leaders in understanding, prioritizing and reducing information security risk, including general workforce information protection and handling capabilities Facilitate security program compliance and risk-grounded decision making through sound relationships, alignment with partners and professional influence skills Perform and supervise risk assessments with solution, product and engineering leaders; both standardized assessments and specialized assessments of unique technologies, architectures and business technology plans Evaluate adherence to and promote information security policies and standards; review compliance or assessment artifacts and deliverables for completeness and accuracy Document critical security risk findings in support of fully-informed and proactive decision-making Effectively communicate risk and urgency to technical leaders where immediate mitigation response for critical risks is needed Coordinate security assessment findings and reports with management, engineers and customers Coordinate application vulnerability and penetration tests; coordinate tests and evidence-gathering activities for solution security certification/compliance validation Evaluate whether sensitive data handling systems and processes comply with Church policies and procedures

Non-Responsibilities

Describe the major non-responsibilities of this role. What is this role not responsible for and should not do?



Is not accountable for any given solution's actual implementation of, and compliance with, security standards and programs. These responsibilities lie with the portfolio and solution leaders. In the conducting of standardized and atypical risk assessments, as well as in risk committee validations, evaluates organizational risk and may advise on available options, but does not accept risk for any part of the Church or make any formal decisions regarding the mitigation, avoidance or transfer of risks. These decisions lie with appropriate technology and business roles.



Education:



Bachelor's Degree in Information Systems, Information Technology or equivalent professional experience

Work Experience:



8+ years of experience in a core IT technology (e.g., software developer, network engineer, database engineer) where compliance activities or the identification of security risks or code defects were part of the work experience; plus, significant hands-on experience with commercial and open source security tools and products, penetration testing, analysis and project management Minimum of one year of experience in an information security, IT risk, or compliance-related role

Demonstrated Skills & Abilities:



Ability to identify and assess likely security risks across technical domains like segmented enterprise networks, identity and access infrastructure, symmetric and asymmetric encryption technologies, cloud architectures, insider threats, endpoint protections, securing web applications, and privacy and regulatory Ability to work individually and as part of a team with minimal supervision Proven ability to conceptualize, analyze and communicate complex issues and concerns to both technical and non-technical managers and workers Proven ability to develop, refine and follow processes Must be familiar with security standards and best practices such as those specified by the payment card industry, ISO 27000, National Institute of Standards and Technology, Center for Internet Security Excellent communication skills (both written and verbal; this can include multi-lingual abilities) Effective communication skills (both written and verbal; this can include multi-lingual abilities) This job operates in a professional office environment To successfully perform the essential functions of the job there may be physical requirements which need to be met such as sitting for long periods of time and using computer monitors/equipment Ability to understand the security considerations in an internationally-based IT environment and works well with global teams and Areas An effective understanding of Application and Code security processes


Specific Degrees, Certifications, Licenses:



CISSP certification (ISC 2 ) or the ability to attain it as requested Prefer one or more of the following recognized IT security certifications: GCED, CISA, CISM, CRISC, CPISA, GWAPT, CIPP (Other technical certifications are also given consideration)



Church employees find joy and satisfaction in using their unique talents and abilities to further the Lord's work. From the IT professional who develops an app that sends the gospel message worldwide, to the facilities manager who maintains our buildings-- giving Church members places to worship, teach, learn, and receive sacred ordinances--our employees seek innovative ways to share the gospel of Jesus Christ with the world. They are literally working in His kingdom.
Only members of the Church who are worthy of a temple recommend qualify for employment. Apart from this, the Church is an equal opportunity employer and does not discriminate in its employment decisions on any basis that would violate U.S. or local law.
Qualified applicants will be considered for employment without regard to race, national origin, color, gender, pregnancy, marital status, age, disability, genetic information, veteran status, or other legally protected categories that apply to the Church. The Church will make reasonable accommodations for qualified individuals with known disabilities.