GRC Engineer

Apply for this job
Basic information
Job role
Governance & Service Management
Career level
Entry Level (0-2 years)
Keywords
GRC Engineer Grade - Banking
People
Description
  • Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
  • Plan and conduct security authorization reviews and assurance case development for new and existing installation of systems and networks to confirm that risk is within acceptable limits.
  • Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
  • Verify and update security documentation reflecting the application/system security design features.
  • Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
  • Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
  • Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
  • Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
  • Assure successful implementation and functionality of security requirements and appropriate IT policies and procedures that are consistent with the organization's mission and goals.
  • Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
  • Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
  • Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
  • Conduct interactive training exercises to create an effective learning environment.
  • Develop new or enhance existing awareness and training materials that are appropriate for intended audiences.
Requirements
  • Bachelor’s degree in engineering, Computer Science, Cyber Security, or any related field from a reputable university.
  • Preferably have one of the following certifications: CCNA Security, CompTIA Security +, CISA, ISA27001.
  • Fluency in Arabic and English.
  • Fresh graduates with cybersecurity related certificate to 1 year experience in information security.

Ability to:

  • Identify systemic security issues based on the analysis of vulnerability and configuration data.
  • Answer questions in a clear and concise manner.
  • Ask clarifying questions.
  • Communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
  • Design valid and reliable assessments.
  • Apply critical reading/thinking skills.
  • Evaluate information for reliability, validity, and relevance.
  • Function in a collaborative environment, seeking continuous consultation with others.
  • Interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
  • Interpret and understand complex and rapidly evolving concepts.
  • Monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
  • Relate strategy, business, and technology in the context of organizational dynamics.
  • Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge of:

  • Computer networking concepts and protocols, and network security methodologies.
  • Risk management processes (e.g., methods for assessing and mitigating risk).
  • Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • Cybersecurity and privacy principles.
  • Cyber threats and vulnerabilities.
  • Specific operational impacts of cybersecurity lapses.
  • Authentication, authorization, and access control methods.
  • Applicable business processes and operations of bank.
  • Cyber defense and vulnerability assessment tools and their capabilities.
  • Cryptography and cryptographic key management concepts.
  • Data backup and recovery.
  • Database systems.
  • Business continuity and disaster recovery continuity of operations plans.
  • Organization's enterprise information security architecture.
  • Organization's Local and Wide Area Network connections.
  • Security Assessment and Authorization process.
  • Cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
  • Cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • Risk Management Framework (RMF) requirements.
  • Current industry methods for evaluating, implementing, and disseminating IT security assessment, monitoring, detection, and remediation tools and procedures.
  • Network access, identity, and access management (e.g., PKI, Oauth, OpenID, SAML, SPML).
  • New and emerging information technology (IT) and cybersecurity technologies.
  • System and application security threats and vulnerabilities (e.g., buffer overflow,).
  • Systems diagnostic tools and fault identification techniques.
  • Enterprise information technology (IT) architecture.
  • Organization’s enterprise information technology (IT) goals and objectives.
  • Supply Chain Risk Management Practices (NIST SP 800-161).
  • Organization's core business/mission processes.
  • Information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.
  • Critical infrastructure systems with information communication technology that were designed without system security considerations.
  • Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  • Security architecture concepts and enterprise architecture reference models.
  • Security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  • Personally Identifiable Information (PII) data security standards.
  • Payment Card Industry (PCI) data security standards.
  • An organization's information classification program and procedures for information compromise.
  • Controls related to the use, processing, storage, and transmission of data.
  • Application Security Risks (e.g. Open Web Application Security Project Top 10 list).

Skills in:

  • Applying confidentiality, integrity, and availability principles.
  • Determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • Discerning the protection needs (i.e., security controls) of information systems and networks.
  • Recognizing and categorize types of vulnerabilities and associated attacks.
  • Interfacing with customers.
  • conducting reviews of systems.
  • network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
  • Integrating and applying policies that meet system security objectives.
  • Assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, etc).
  • performing impact/risk assessments.
  • Information prioritization as it relates to operations.
  • Interpreting vulnerability scanner results to identify vulnerabilities.
  • Managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
  • Performing target system analysis.
  • Preparing and presenting briefings.
  • Preparing plans and related correspondence.
  • Prioritizing target language material.
  • Processing collected data for follow-on analysis.
  • Providing analysis to aid writing phased after action reports.
  • Reviewing and editing assessment products.
  • Reviewing and editing plans.
  • Tailoring analysis to the necessary levels (e.g., classification and organizational).
  • Target development in direct support of collection operations.
  • Target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).
  • Access information on current assets available, usage.
  • Analyze strategic guidance for issues requiring clarification and/or additional guidance.
  • Apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
Company information
Industry
Banking
Area
New Cairo