Sr. Security Risk Analyst

Tulsa, OK

Opportunity Details

Full Time Sr. Security Risk Analyst

Tulsa, OK

Primary Purpose of job:


The Senior Security Risk Analyst provides advise and expertise to IT staff and other departments related to information security issues.  The Senior Analyst monitors the thread landscape, prepares risk and vulnerability assessments, creates risk process documentation, and otherwise contributes to the develop and maintenance of a sound cyber security program.  The Senior Analyst will evaluate internal security controls against industry standard best practices, established control frameworks, and internal audit requirements. This position is responsible for leading process improvement activities, participating in information security assessment projects and participating in security awareness communication and training activities.  The Senior Analyst will participate in companywide projects to ensure that IT risks are known to the business and are remediated, transferred, or accepted.  The Senior Analyst will assist the Cyber Security Manager in reporting risk and compliance status and program maturity to business leadership.


Major functions for this position:


1. Oversees the risk assessment and information security awareness processes. (20%)

    • Conducts internal IT risk assessments
      • On at least an annual basis, conducts or causes to be conducted an IT risk assessment. 
      • Work with the Cyber Security Manager to develop a schedule of internal risk reviews
      • Coordinate reviews with QuikTrip Internal Audit as required to minimize impact of assessments to business units
      • Interfaces with end users as well as all levels of management, technical and business sources to complete assessments
    • Responsible for a deep understanding of business processes and technology used within the assigned areas to ensure that the business is in compliance with regulatory requirements and the QT Information Policy and applicable procedures, processes and standards.
    • Acts as primary IT Risk and Compliance representative on IT and business projects to ensure that information security risks are managed appropriately
    • Maintain relationships inside and outside of IT to enable the discovery of risks outside formal risk assessments.


2. Evaluate and recommend controls to mitigate information technology, security and privacy risk.  Map internal controls to appropriate established industry or other standard (ISO, NIST, etc.) (20%)


3. Identify and evaluate technology risks internally and/or at third parties, internal controls which mitigate risks, and related opportunities for internal control improvements. (15%)


4. Understand complex business and information technology management processes.  (15%)


5. Assess application layer security controls to ascertain whether they comply with QuikTrip policies. (10%)


6. Cloud/SAAS: Develop an understanding of the third parties’ IT control environment and perform basic risk management approaches to evaluate their IT controls. (10%)


7. Actively participate in decision making with third parties and internal QT Management for mitigating identified vulnerabilities. (5%)


8. Performs assessments necessary to ensure the safety of information system assets and to protect systems from intentional or inadvertent access or destruction. (3%)


9. Participate in 24/7 Security Incident Response team activity. (2%)


Position in Organization


Reports to:  Director of Cyber Security


Directly supervises: N/A


Indirectly supervises: Personnel involved in remediation of IT security risks




Inside the Company:Information Technology internal staff, QuikTrip management group, and User community at large.


Outside the Company:   Hardware and software vendors. Professional security organizations and user groups.



  Position Specifications


     The required specifications (education, experience, and skills) are those that the employee must have to hold the position.  Applicants applying for this position must possess the required specifications in order to be considered for the job.  The desired specifications are those that are not required for the employee to hold the position but the employee should try to obtain the desired education, experience, and/or skills to be effective and successful in the position. 


     Required education:  Bachelor’s degree, preferably in MIS or Computer Science or equivalent work experience.


     Desired education: Certification as an Information Systems Security Professional, (preferably CISM, CRISC, Cisco CISSP) or equivalent


     Required experience: Five or more years of experience in technical areas of IT.  Four or more years of experience in security.  Experience conducting risk assessments and vulnerability analyses and experience delivering results to technical and non-technical personnel.  Experience leading junior personnel and/or mentoring risk and compliance professionals.


     Desired experience:  Experience with networking and telecommunications products and equipment.  Experience in application security and SSDLC.  Knowledge of applicable data privacy practices and laws, including regulatory compliance.


     Required skills:Deep understanding of IT security controls and risk/compliance frameworks such as ISO, COBIT and NIST       Strong written and verbal communication skills.  Highly self-motivated and directed.  Knowledge of Security Risk Assessments, AD and MS servers, anti-virus, end-point, firewall, and web filtering software, wireless networking and security, patch management and vulnerability scanning.  Understanding of encryption systems and methodology.


     Desired skills:  Knowledge of AS400 systems, application security, IIS, and Cisco configuration and management.


Starting Salary: $103,000 to $129,000




Top Down