Access Control Consultant
Location: Remote - US only
Job Type: Full time
Responsible for providing access control support associated with IAM technologies and processes. Responsibilities include writing position papers, reviewing and writing audit observation responses, acting as IAM controls consultant for projects, and turning policy/standards/regulatory best practice to full operational process(es). Requires expert ability in risk identification for security, technology, operational and regulatory risk. Able to make risk based decisions and recommendations on the big picture and lead projects aimed at security access risk mitigation to completion, coordinating with various IT groups and globally across the business to deliver results that are aligned with the Security policy and IAM strategy. Performs audits, and reviews of IAM solutions to help ensure appropriate security measures are in place, auditable and that user access/IAM systems are designed so that they are appropriately aligned with Aflac policies and standards. Provides direct support to the business, internal and external auditors and Information Security leadership. Assesses risk associated with user and access administration systems and performs oversight/review of work from more junior staff prior to management and/or business review.
Principal Duties & Responsibilities
- Helps drive the development, implementation, and maintenance of an Access Control & Support program; develops and maintains an access governance program procedures and metrics for consistent risk management/mitigation. Work closely with Information Technology, business personnel, risk management and other personnel on implementation and enforcement of IAM requirements
- Identifies and addresses audit/business IAM needs: building solid relationships with customers/IT; developing an awareness of relevant services; communicating with the business in an organized and knowledgeable manner; delivering clear requests for information; demonstrating flexibility in prioritizing and completing tasks; and communicating potential conflicts to management
- Performs as a team member, understanding personal and team roles; contributing to a positive working environment by building solid relationships with team members; proactively seeking guidance, clarification and feedback; providing guidance, clarification and feedback to less experienced staff
- Maintain and enhance IAM and access control policies and procedures to ensure their alignment with the department’s goals and objectives
- Assists with the development and delivery of training for other members of the Access Control & Support team or as required for new policies, reviews or procedures
- Analyzes impact of new controls, audit and regulatory requirements on IAM processes; support investigations of alleged violations policy violations for access; conduct IT compliance assessments to identify gaps, impacts and risks.
- Helps lead Access Control program, by coordinating various projects, monitoring and reporting status, supporting project risks and issues management.
- Demonstrates advanced understanding of business processes, internal control risk management, IT controls and related standards
- Identifies and evaluates complex business and technology risks, internal controls which mitigate risks, and related opportunities for internal control improvement. Understand complex business and information technology management processes.
- Participates in complex enterprise-scale Identity Management and related projects to consult on access control requirements
- Lead meetings and work independently with leaders, the business unit and members of IT management to provide effectives mitigation of reported security concerns and complaints and help ensure any risk(s) are raised to the appropriate level of authority for decision-making
- Participate on project teams as IAM expert to assist in the implementation of roles, users profiles, and policies that uphold appropriate Separation of Duties (SoD) and regulatory requirements
- Manage endpoint communications covering internal, external audits and regulatory examinations for Access Governance topics and/or Identity and Access Management integrations
- Builds and maintains strong relationships with internal, external auditors and regulators; builds and maintains strong relationships with Technology Compliance, Compliance, Privacy, Internal Audit, IT/InfoSec Management and Stakeholders.
- Conducts internal assessments for IAM Policy adherence and reviews and manage access changes resulting from the reviews
- Researches, analyzes, and recommends software to rectify security deficiencies. Review daily monitoring of access abuse monitoring, to include necessary communication(s)
- Provides assistance to the business units in identifying and implementing appropriate information security measures
- Collects research in terms of best practices, business processes, and procedures
- Utilizes an IAM suite of products (e.g. Core, Aveksa, CyberArk, Stealthbits, FIM, etc) and their design and implementation
- Performs other duties as required
Education & Experience Required
- Bachelor’s Degree in Computer Science or Information Systems
- CISSP, CISA, CISM or other information security or IT audit related certifications
- Four or more years of experience in Identity, Access, and Federation Management segment, supporting security programs and architecture, IT Audit/Compliance or software and systems development programs in a complex enterprise environment.
- Experience with providing guidance for data protection based on data sensitivity and associated business risk.
- Experience working with cloud platforms and/or technologies (AWS, Azure, etc).
Or an equivalent combination of education and experience
On-call, after-hours and weekend support are required.
Job Knowledge & Skills
- Strong technical skills on how access controls are applied in multi-tiered architecture, databases, LDAP and directory services, application servers and network infrastructure.
- Demonstrated proficiency communicating information security, IT audit and access control concepts to technical and non-technical audiences
- Excellent collaboration, problem-solving and decision-making skills.
- Knowledge of best practices and standards for enterprise security architecture across one or more of the following areas: Federation and Single Sign-On, Enterprise Service Bus, Business Process Management, Customer Relationship Management, Enterprise Resource Management, Identity and Access Management, Project Management, Mobility and Data Analytics and Visualization.
- Advanced and basic skills in
- Identity and Access Management
- End User Authentication
- User access authorization concepts
- Privileged Access Management
- Multifactor Authentication
- Single Signon
- Identity Federation
- Active Directory and RACF
- Identity/Access Controls/NIST
- SOX/SOC/PCI controls
- Certificates - Basic
- Core Security Suite – Basic
- Acting with Integrity
- Communicating Effectively
- Pursuing Self-Development
- Serving Customers
- Supporting Change
- Supporting Organizational Goals
- Working with Diverse Populations