Enterprise Security Policy and Standards Analyst
The Enterprise Security Policy and Standards Analyst is focused on the development and ongoing maintenance of Technology and Enterprise Security policies and standards for protecting the confidentiality, integrity, and availability of information at Comerica. The incumbent evaluates the need to establish new technology/information security standards based on risk evaluations, changes in threats, technology updates, business objectives, laws, and/or regulations. This will include monitoring new laws, regulations, and industry standards that may affect how technology and information security is managed at Comerica (e.g., GLBA, FFIEC standards, PCI standards, HIPAA, Privacy laws).
The incumbent will assess gaps with Comerica's existing technology/information security controls, policies, and standards and make recommendations to management as needed for new and updated standards. This will require working directly with subject matter experts from Enterprise Security, Technology, Enterprise Risk, Legal and other business units within the bank to further assist in the recommendations and document these requirements.
This role will be responsible for interpreting, analyzing, developing, and writing policies and standards from a business and technical perspective. This includes managing the entire lifecycle of which consists of planning research, drafting, approval and publication, and communication of the policies and standards.
Position Responsibilities:
Policy Development
Assist with drafting of policy documents (standards, procedures, and reference documents) ensuring clarity, accuracy, and effectiveness.
Develop and implement organizational policies to compliance with applicable laws, regulations, and industry best practices.
Coordinate with business unit leaders and management to assess policy needs and develop strategies to address organizational challenges.
In collaboration with Technology and Enterprise Security partners, evaluate moderately complex technologies, systems, processes and controls to identify security risks and compliance gaps.
Conduct thorough document reviews to ensure the validity and accuracy of all documentation related Technology and Enterprise Security policies and procedures.
Participate in policy review meetings with stakeholders to gather feedback, discuss policy implication, and achieve consensus.
Policy Governance and Oversight
Review new or modified technology and information security policies prior to vetting and publication and making recommendations to the Sr. Manager.
Identify, recommend, and facilitate the enhancement or modification of Technology and Enterprise Security policies based on changes in risks, organizational practices, regulations, industry best practices or technical trends.
Monitor the impact of implemented policies, analyzing performance data and stakeholder feedback to identify areas for improvement.
Assist in maintaining a comprehensive and up-to date policy library.
Oversee the archiving of obsolete policies and documentation of policy changes, maintain a comprehensive and up-to date policy library.
Test and monitor Technology and Enterprise Security compliance improvements and their impact on current policies and standards.
Project Management and Communication
Manages and leads small to medium projects related to technology risk and information security such as development of new policies or complex policy revisions, large technology projects, training course development.
Contributes to projects driven by groups both internal and external to Enterprise Security.
Publishes updates/new policies and procedures SharePoint.
Participates in working groups regarding Technology risk and Enterprise Security policy development and review of new technologies, designs, and remediation planning efforts.
Other duties as assigned.
Position Qualifications:
Bachelor's Degree from an accredited university in Information Management, Information Governance, Risk Management, Computer Science, or other relevant disciplines OR HS/GED with 5 years progressive relevant experience
5 years of experience in policy interpretation and development
5 years of experience in the development and analysis of industry best practices
5 years of experience with IT governance, compliance, risk, and audit programs
5 years of experience with GLBA, FFIEC standards, PCI standards, HIPAA, Privacy laws or similar compliance activities such as SOX, PCI, etc.
3 years of experience supporting audits and assessments
2 years of experience in IT security control development, control testing, risk remediation, and reporting
2 years of experience with one or more of the following: MS Office, Qualys, SIEM, Archer, ServiceNow
Licenses/Certifications:
CISSP (Certified Information Systems Security Professional) preferred
CISM (Certified Information Security Manager) preferred
CISA (Certified Information Systems Auditor) preferred
CIRSC (Certified in Risk and Information Systems Control) preferred
Work Best Category: Category C - Days in the office will either be designated days or will vary week to week from 2-5 days
Hours: 8:00am - 5:00pm Monday - Friday
Salary: To Be Determined Based on Individual Experience
About Comerica
We know our employees are critical to our overall success and we are dedicated to investing in their future. One of the ways we do this is to offer a comprehensive Total Rewards package designed to recognize and reward individual performance, as well support health, well-being, development and security for our colleagues and their family. Total Rewards consists of cash compensation, development and flexible benefit programs designed to meet individual needs today and in the future. Your salary... For full info follow application link.
Comerica is proud to be an Equal Opportunity Employer - veterans/individuals with disabilities, committed to workplace diversity.
