Information Security GRC Analyst- Sugar Land or Lubbock

External Applicants: Please apply through Prosperity Bank's Career Center at https://www.prosperitybankusa.com/Careers. Applying through any other source may prevent Prosperity from receiving your application. Internal Applicants: If you are a current associate of Prosperity Bank, please apply through the internal Talent - Career Center in ADP.

POSITION PURPOSE

The Information Security GRC (Governance, Risk, and Compliance) Analyst is responsible for continuously evaluating the adequacy and effectiveness of the Bank’s cybersecurity risk management processes. This role is crucial for ensuring compliance with legal requirements, regulatory mandates, industry standards, and internal policies and standards. The IS GRC Analyst will offer specialized expertise and consultation to cross-functional teams, perform framework-oriented risk assessments, identify deficiencies, generate reports, and recommend prioritized, actionable solutions to mitigate risks and enhance the overall security posture of the Bank’s information technology infrastructure.

ESSENTIAL FUNCTIONS AND BASIC DUTIES

1. Provide complementary expertise, consulting, analysis, assessments, and reports to management and cross-functional teams to improve the efficiency and effectiveness of cybersecurity risk management activities.
2. Perform structured framework-oriented assessments to evaluate risks introduced through software, interconnections, systems, and processes delivered by both the organization and third-party providers.
3. Assess and document the effectiveness of cybersecurity safeguards to identify deficiencies in organizational and third-party software, networks, systems, and processes regarding legal and regulatory requirements and cybersecurity standards. 
4. Propose suitable mitigation strategies and verify the effectiveness of remediation plans.
5. Offer cybersecurity advisement and develop documentation to enhance the organization's risk governance procedures.
6. Assess cybersecurity policies and procedures to ensure they comply with laws, regulatory requirements, and the organization's risk tolerance, and suggest enhancements.
7. Support the creation of strategies for measuring and monitoring risk, compliance, and assurance.
8. Stay current with new technologies and best practices relative to information security and privacy disciplines.
9. Regularly monitor and communicate emerging industry developments and changes to federal, state, and industry laws and regulations.
10. Continuously expand understanding of new technologies and best practices in the security and privacy disciplines. 
11. Exhibit sound business judgment, build trust, and provide practical security analysis while utilizing data-driven business cases to advocate for prudent security investments that enhance security controls and processes.
12. Support the continuous improvement of the Bank’s Information Security Team and promote a culture of innovation and accountability.
13. Perform additional duties as required.

The above statements describe the general nature and level of work only. They are not an exhaustive list of all required responsibilities, duties, and skills. Other duties may be added, or this job description may be amended at any time.

QUALIFICATIONS

Education/Certification: Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, a related discipline, or the equivalent of combined education and related work experience. Professional certifications including CISSP, CGRC, CCSP, CISA, CISM, CRISC, or certifications through GIAC or CompTIA are preferred.

Experience Required: Minimum of 2 years of experience in an information security or risk management role with responsibilities in one or more of the following domains: security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. Direct experience in information systems auditing or risk management preferred.

Experience with the practical application of security control and risk management frameworks (NIST, FFIEC, CRI, ISO) to conduct risk assessments within an organization's IT ecosystem.

Experience in creating and maintaining policies and procedures documents.

Demonstrated ability to successfully execute initiatives in complex and highly regulated environments.

Banking or financial services industry experience strongly preferred.

Required Knowledge:       Strong understanding of the interrelationship of organizational cybersecurity objectives; the Confidentiality, Integrity, and Availability (CIA) model; and defense-in-depth principles, practices, tools, and techniques.

Practical knowledge of industry cybersecurity and risk management models, frameworks, processes, principles, and practices, including the National Institutes of Standards and Technology (NIST) cybersecurity Special Publications and frameworks (e.g. NIST CSF, NIST 800-37, etc.).

Knowledge of cybersecurity threats, threat characteristics and vulnerabilities, risk and threat assessment methods, and risk scoring principles and practices.

Knowledge of cybersecurity and privacy laws, regulations, policies, and procedures, including Personally Identifiable Information (PII) data security standards and best practices such as the Gramm-Leach-Bliley Act (GLBA) and the Federal Deposit Insurance Corporation (FDIC)/ Federal Financial Institutions Examination Council (FFIEC) Safeguards Rule.

Familiarity with Payment Card Industry - Data Security Standard (PCI-DSS); Health Insurance Portability and Accountability Act (HIPAA); and the Center for Internet Security (CIS) benchmarks; targeting, exploitation and insider threat laws and regulations; data residency and economic trade sanctions laws and regulations; and critical infrastructure cyber defense laws and regulations. 

Familiarity with Windows and Unix/Linux system administration and architecture, database systems and software, encryption algorithms, cryptographic key management principles and practices, LAN and WAN architectures and computer networking protocols, cloud computing, identity and access management (IAM) principles and practices, authentication and authorization tools and techniques, and data backup and recovery policies and procedures.

Skills/Abilities:                  
Excellent written and oral English communication and presentation skills.

Ability to discuss security topics with non-technical audiences.

Willingness to work beyond standard business hours when necessary.

Ability to effectively lead multiple tasks and projects concurrently.

Strong analytical skills with the ability to apply critical thinking.

Skill in performing information systems risk assessments (application vulnerability assessments, security assessments, etc.) and preparing reports.

Ability to research, analyze, and resolve complex problems with minimal supervision and escalate issues as appropriate.

Ability to collect, verify, and validate data and derive evaluative conclusions to ensure conformance with laws, regulations, policies, processes, and information quality requirements.