Information Security Compliance Analyst
Shape Your Future With Us
General Re Corporation, a subsidiary of Berkshire Hathaway Inc., is a holding company for global reinsurance and related operations, with more than 2,000 employees worldwide. Its direct reinsurance companies conduct business as Gen Re.
Gen Re delivers reinsurance solutions to the Life/Health and Property/Casualty insurance industries. Represented in all major reinsurance markets through a network of more than 40 offices, we have earned superior financial strength ratings from each of the major rating agencies.
Gen Re currently offers an excellent opportunity for an Information Security Compliance Analyst in our corporate headquarters in Stamford, CT.
The Security Compliance Analyst is a member of the Global Security Compliance team in the Legal department and is a hands-on, support role of the corporate information security program. This includes ensuring compliance program, and security policy deliverables, are achieved. Also supports the security policies, processes, tools and standards throughout the organization, through close association with the Global Information Security Group, Internal Audit, Legal, Human Resources, Data Privacy Officers, and other organizations within the corporation, and with designated external partners.
Candidate must have a strong background in technology, security and metrics, and must be highly adaptive. The candidate must be highly collaborative, organized and analytical, and is expected to partner and mentor effectively with other teams on an ongoing basis.
- Identifies policy and process gaps, or breaks, ensures proper segregation of duties, and documents approved exceptions.
- Participates in the drafting, updating, revising and publication of security policies and other security materials.
- Develops, tests, documents, evaluates, tracks, and improves security compliance controls.
- Performs administrative control reviews and recommends remediation actions and alternative approaches to resolve conflicts.
- Identifies, collects and organizes security incident and event data to produce exception and management reports.
- Supports continuous improvement by developing, operationalizing and maintaining security compliance metrics and documentation. Also provides support for Security Compliance requests and incidents.
- Reviews technology platforms, including operating systems, applications, and network devices and vendors to ensure compliance with established best practices, organizational and operational policies.
- Participates in Change Control and Release activities to ensure changes & deployments don’t compromise security controls and policies.
- Maintains the Security Questionnaire database and responds to Security Questionnaires, as necessary.
- Prepares risk assessments for third- and fourth-party vendors to advise the business on relevant IT risks associated in using the vendor or technology.
Bachelor’s degree in computer science, or equivalent work experience required.
Professional security management certification, such as an ISC(2) Systems Security Certified Practitioner (SCCP), SANS GIAC Information Security Professional (GISP) is a plus.
Experience/Skills (1–5 years)
- Strong conceptual thinking and communication skills – the ability to translate complex business and technical requirements into effective and comprehensible solutions.
- Ability to correlate disparate data sources to produce a complete picture, or view of an event, system, or environment (Connect the dots).
- Working knowledge of various regulations such as SOX, HIPAA, international data privacy regulations such as the European Union General Data Protection Regulation.
- Knowledge of NIST and ISO 27000 security practice frameworks.
- Knowledge of security controls (e.g. Firewalls, IDS/IPS, VPN, Web Content Filters, Proxies, DLP, SIEM, Log aggregation etc.) Operational experience with one or more common IT infrastructures (Telecom, database, Windows, Active Directory, LDAP, SMTP, DLP, and *NIX server systems, virtualization platforms)
- Understanding of the Microsoft Office suite to include Access and Viso.
- The following are not essential, but are highly valued;
- SharePoint experience to maintain security sites associated with the Security Compliance Group
- Professional experience or knowledge of application or infrastructure penetration testing
- Basic working knowledge of scripting/programming languages (e.g. Python, Powershell)
- Basic knowledge of cloud security controls and behaviors