Senior IT Risk Analyst, Security

Carmax (


  Full Time   Employee

United States


Position Description

The Sr. IT Risk Analyst should have in-depth technical knowledge and be the subject matter expert in IT Risk Management, security, controls, and audit compliance. In this role, the Sr. IT Risk Analyst will be responsible for maintaining and executing IT Risk Management framework and processes in line with ISO 27001 and NIST 800-30. This role will also be responsible for influencing and managing security policies and supporting controls. This position will take part in contract reviews for information security provisions, and service provider oversight, including the monitoring of remediation/mitigation plans to address weaknesses, performing information security risk assessments internal and external with 3rd party service providers. SSAE16 reviews, understanding threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information and serves as an IT Risk Management expert on IT Business plan initiatives. This position will assist with the company-wide security awareness program, including design and management of the annual Information Security Training. In addition, this position will be expected to coach and serve as a IT Risk expert by providing direction on cross functional projects and ensuring that policies, procedures, leading practices, access control, asset classification and privacy, architecture and compliance with company security, compliance standards and regulatory obligations.

Position Requirements

• Support, execute and maintain a framework for IT risk management including validation and classification methods.
• Perform information security risk assessments on key third party service providers based on type, service and weighted on risk, understanding threats, vulnerabilities and exposures associated with confidentiality, integrity and availability of information.
• Help develop related processes and procedures in order to ensure and enforce compliance with all company policies, applicable laws, and regulatory requirements regarding information security, privacy, and data integrity as well as reducing vulnerabilities.
• Assist with the development and delivery of information security risk related training and awareness programs.
• Provide system administration and records retention leadership (electronic and paper) to all business units to ensure the archival of CarMax’s&reg: data is in accordance with internal and external regulatory standard practice/guidelines.
• Perform analysis of security vulnerabilities developing risk-based business recommendations.
• Provide requirements and clear direction to peers, across functional teams and 3rd party service providers. Serve as the risk management expert on cross organizational projects and initiatives.
• Partner with application developers to review commercial and internally developed applications to determine risk and compliance with required security controls and help to determine secure solutions.
• Responsible for providing expertise and direction to CarMax’s&reg: procurement and legal teams including practical suggestions on leading practices, industry standards and guidance in the interpretation and implementation of 3rd party network connection or technology and business processes to meet security risk regulations and data integrity.
• Maintain a strong knowledge base of industry and technology trends as they apply to IT risk management.

Information Risk Methodology:
• Ability to help design and implement industry standard risk management practices across IT Operations and Development teams
• Champion of the information risk management methodology by demonstrating ownership of the design aspects of the operations lifecycle
• Passionate about supporting & ownership of threat areas of security systems
• Consistently shows the ability to mentor others in the assessment of risk as it relates to CarMax’s&reg: data.
• Understand level of risks and exposure as it relates to systems, services and networks.
• Driver of security awareness type activities with proven results.

Customer Interaction and Business Knowledge:
• Ability to understand the business requirements as well as provide a proposal of the appropriate information risk resolution to computer threats.
• Broad understanding of the business processes supported across all team’s environments.
• Ability to lead customer/remediation meeting(s) for information security risk definitions, needs assessments and design reviews that impact all areas of business systems.
• Collaborate with Privacy and Legal departments for assessment improvements.

• Able to help influence the information security risk direction of others in order to drive corporate risk acceptance to successful completion within the IT Risk standards and guidance.
• Proven ability to effectively communicate remediation and prevention approaches via leading practices
• Ability to help develop and deliver security awareness training and business understanding for business partners, engineers, developers and analyst.
• Ability to drive through obstacles and time constraints to successfully deliver remediation to completion

Additional Responsibilities:
• Partner with the Information security and IT teams to gain consensus on risk remediation approaches and establish security standards, patterns, policies, and leading practices for risk management and Incident Response.
• Investigating new standards, techniques and research ongoing industry developments for information risk management practices.


Strong understanding of key compliance regulations such as Sarbanes-Oxley, GLBA, HIPPA and Payment Card Industry (PCI), plus external regulations new or changed within IT and identify industry standards from which to modify core IT risk processes staying ahead of industry trends and emerging threats.
Experience in execution of an enterprise risk framework, including the identification, assessment and mitigation of risk: understanding how to balance the companies risk appetite and its overall impact
Detailed knowledge and experience with network and applications protocols such as TCP/IP, HTTP, or SMB.
Extensive understanding of network controls such as Firewalls, ACL, Intrusion Detection Systems and Proxies.
Detailed knowledge of user administration, authentication methods, file permissions, groups, and domain concepts.
Demonstrated ability to compare and contrast alternative security risk approaches and methodologies while assessing risk both quantitatively and qualitatively to meet the business needs
Proven experience with influencing without authority to in order to gather requirements and translate risks into actions
Able to assess, identify, and document third party system security deficiencies and recommends solutions.
Excellent communication skills to include but not limited to verbal and written communication; delivering organized presentations; able to tailor message to the audience; and facilitate group discussions with diplomacy and seek diverse opinions
Excellent analytical, troubleshooting, and problem solving skills and performs well under fast paced, high pressure or stressful situations.
Possess strong organization and time management skills.
Ability to learn the business processes implemented in the team’s applications in Demonstrated flexibility

Education and/or Experience:
In depth knowledge of information security, risk management industry frameworks and standards NIST, OWASP, SANS, ISO-27001/2, SANS, Cobit and ITIL
5+ years working experience with enterprise risk management programs, privacy, data security and control issues with technologies such as Cloud, SaaS, Linux, Windows, VMware, Intrusion Prevention, Automated Malware inspection, Web Proxies, Firewalls, routers and/or switches, SAST, Network Vulnerability Assessment or Data Loss Prevention firewalls, routers and/or switches
Previous working experience and knowledge of two or more security functions (IT Risk Assessor, QSA, Security Specialist, IT Auditor)

Possession of industry certifications: CRISC, CISSP, CIA, CISA, CISM, BCBP, PCI
Experience implementing incident handling guidelines such as the NIST Computer Security Incident Handling guide
Dedication and commitment to top-quality service and to exceeding customer expectations
Desire to keep current with technology and emerging IT risks

To apply for this job, contact:
Ashley Murr

Save This Job

Email This Job to a Friend