Director, Information Security Risk Assessment

Hospitality



POSITION SUMMARY

Develop and manage a comprehensive Information Security Risk Assessment practice at Starwood.  The Director, InfoSec Risk Assessment (ISRA) will be responsible for developing, implementing and managing a comprehensive InfoSec Risk Assessment methodology.  The ISRA Director will then lead the effort of the ISRA team to work with various corporate and business unit technology teams to integrate the risk assessment process into the application development processes.  The ISRA Director will manage a staff of risk analysts to work with project teams to perform risk assessments.  The ISRA Director will also participate in high-risk assessments as the lead analyst.

 

Successful candidates must possess an understanding of IT terminology, have strong Security, Audit or Risk Management experience, have outstanding written and verbal communications skills, and experience dealing with senior and executive staff. The candidate must also be able to effectively multi-task competing priorities, and be pro-active in addressing issues quickly.

 

 KEY RESPONSIBILITIES

Risk Assessment Methodologies:Develop a Starwood specific Risk Assessment methodology Educate Starwood IT teams on use of methodology Adapt methodology as new technologies emerge Coordinate usage of methodology by IT teams

 Perform Risk Assessments:Work with IT teams to perform risk assessments using developed methodology Provide Information Security subject matter expertise to IT teams Work independently to provide considered opinions related to InfoSec risk Facilitate issue escalations to the InfoSec Director Apply subject matter expertise and judgment on risk evaluation, risk assessments and risk mitigations for IT and Business Unit projects Be responsible for bringing decisions to closure and building consensus through collaboration with IT and Business Unit colleagues and project team members. Contribute to the success of the achievement of business goals through decisions made on InfoSec risk issues. Ensure that all InfoSec risk and control issues/gaps are clearly documented and to work with project teams to develop remediation plans to address these issues. Endure that all action plans related to InfoSec risk issues are delivered in a timely manner and fully address the issue(s) raised. Ensure IT and Business teams adhere to InfoSec Policies and standards

 

 



TECHNICAL/JOB-SPECIFIC COMPETENCY REQUIREMENTS AND RELATED EXPERIENCE

 

The individual must possess the following knowledge, skills and abilities and be able to explain and demonstrate that he or she can perform the essential functions of the job, with or without reasonable accommodation, using some other combination of knowledge, skills, and abilities.

 

? Strong knowledge of a variety of Operating Systems (eg: Windows, Linux, Unix, OS/400)

? Strong knowledge of application development practices and processes.

? Strong knowledge of middleware tools

? Strong knowledge of RDBMS, especially Oracle and MS/SQL

? Strong knowledge of Information Security principles and practices

? Strong knowledge of network technologies, including wireless

?Strong knowledge in a variety of contemporary computing technology areas

?Excellent communication skills, both verbal and written.

?Ability to work independently towards goals.

? Strong ability to manage a team (both direct reports and project teams)

? Desire to participate as part of a team.

? Demonstrate self-confidence, energy and enthusiasm.

? Present ideas, expectations and information in a concise, well-organized way.

? Manage time well, correctly prioritizing tasks.

? Ability to be resourceful, creative and flexible.

? Ability to manage processes and associate relationships in multiple locations.

 

 

QUALIFICATION STANDARDSEducation

BA/BS degree in either Computer Science or MIS (or equivalent) preferred.



Experience

8-10+ years of experience in Information Security, with a minimum of 5 years performing risk assessments.

 

Certifications

One or more of CISSP, CISM, CISA preferred.

 



This job description is not an exclusive or exhaustive list of all job functions that an employee in this position may be asked to perform from time to time.

 

Starwood is an Equal Opportunity Employer M/F/V/D.