Job Summary

The Risk Management Analyst is responsible for identifying, assessing, and managing cybersecurity risks across the organization's IT and OT environments. The analyst leads CITGO efforts in hardware / software and systems risk assessments, Risk Management, cybersecurity policy and procedure management, and cybersecurity governance. In this dynamic role, the employee oversees critical areas such as cyber risk assessments, policy and procedure rollout to system owners, and incident response planning, ensuring our business remains resilient and secure. As a key contributor, the employee collaborates with cross-functional teams to drive compliance initiatives, protect sensitive data, and help maintain the trust of CITGO’s information.

Minimum Qualifications

Required:

• Bachelor’s degree and 8 years of experience; or associate’s degree and 10 years of experience; or high school diploma and 12 years of experience.
• Awareness of emerging technologies and their associated risks.
• Advanced analytical and problem-solving skills for assessing and prioritizing risks.
• Compliance Standards: Familiarity with standards like ISO 27001 and NIST 800.53, 800.144 and 800.82.
• IT and OT Risks: General knowledge of risks that impact IT and OT systems.
• Supply Chain and Third-Party Cyber Risk Management (TPRM): Knowledge of best practices for TPRM, including highest priority risk mitigation practices.
• Attention to Detail: Precision in managing risk assessments and governance to ensure adherence to compliance standards.

 

Preferred:

• CISSP, CRISC or other security or compliance certifications.

Job Duties

1. Comprehensive Infrastructure Risk Assessment:
   1. Conduct regular and thorough cybersecurity risk assessments across the organization's entire IT and OT infrastructure, including networks, cloud environments, data centers, endpoints, IoT devices, and software applications.
   2. Ensure risk assessments are aligned with industry frameworks like NIST, and CIS Controls to identify and prioritize risks.
   3. Regularly review security configurations and controls for effectiveness and compliance with organizational policies and external regulations (e.g., GDPR, CCPA, PCI DSS).
   4. Assist in evaluating cybersecurity risks posed by third-party vendors, contractors, and service providers, including supply chain risks.
   5. Perform regular assessments of exposure and coordinate security reviews ensuring adherence to organizational security standards.
2. Hardware / Software Risk Assessments for IT and OT:
   1. Coordinates the risk assessment process, meeting with IT and Business Coordinators.
   2. Ensure the assessment process moves quickly to prevent delays in the implementation of new hardware and software.
   3. Utilize external threat platforms to assess other risks.
   4. Utilizes the GRC platform to control the assessment process..
3. Governance Policy / Procedure Rollout to System Owners:
   1. Collaborate on developing policies, standards, and procedures to enhance risk management structure. Meets with system owners to review changes to policies, procedures, and controls.
   2. Meets with new system owners to review their responsibilities.
   3. Utilizes the GRC platform to control and document system owner responsibilities.
4. Supply Chain and Third-Party Cyber Risk Management:
   1. Evaluate and collaborate with Legal and Procurement to ensure supply chain risk is mitigated.
   2. Utilize cyber risk platforms to document and follow up on 3rd party risk.
5. Incident Response Plans (IRP):

1. Responsible for maintaining the IT and OT IRP.
2. Works with the Manager InfoSec and consultants to continuously update the IRP.
3. Participate in tabletop exercises related to IT and OT IRPs.

Job Duties II