Jenner & Block LLP seeks an experienced information security audit/policy professional possessing a strong understanding of industry security technology and audit controls with the ability to develop policies and procedures supportive of established audit requirements. The ideal candidate should demonstrate an ability to quickly assess security risks, identify controls/policies to mitigate security risks and establish documented procedures and protocols designed to ensure the firm’s information is protected and secure. The Information Security Policy/Audit Analyst reports directly to the Chief Information Security Officer. It is an exempt position with regularly scheduled hours of 8:45 a.m. - 5:15 p.m., Monday through Friday with additional hours as required.
ESSENTIAL JOB FUNCTIONS
Develops, tests, documents, evaluates, tracks and improves information security controls for all information technology resources, applications and security protocols.
Creates and documents security policies, procedures and protocols as required.
Implements security audit guidelines and workflow process, testing the capability, reliability and effectiveness of the firm's security systems, applications, protocols and procedures.
Collaborates with appropriate stakeholders to document and implement necessary policies and procedures to comply with ISO 27001 standards and to obtain certification.
Works with security and departmental subject matter experts to develop and document a practical business continuity plan designed to ensure ongoing business viability.
Works with appropriate personnel to respond to client generated security assessments.
Performs necessary security engineering tasks as a backup for other security team members.
Undergraduate degree in computer science, information technology or equivalent work experience.
At least 5+ years in an information security role, preferably in a law firm or other environment involving critical data and confidentiality management requirements.
Experience working with enterprise security technologies, including IDS/IPS systems and firewalls (CheckPoint experience preferred), antivirus, enterprise vulnerability scanning and testing, data at rest encryption technologies, and related technologies used to secure electronic data in the enterprise.
Experience in performing auditing and other testing of security controls, developing audit plans and procedures, and reporting the results of such audits.
Experience in security policy writing/development, security education, network penetration testing, application vulnerability assessments, risk analysis and compliance testing. CISSP, CISM, CRISC, CISA, GIAC, or other security certifications desired.
Knowledge of information security controls and standards, particularly ISO 27001/27002 and NIST 800-53, rules and regulations related to information security and data confidentiality (e.g., HIPAA) and desktop, server, application, database, network security principles for risk identification and analysis.
Strong analytical and problem solving skills.
Excellent communication (oral, written, presentation), interpersonal and consultative skills.