Senior Information Security Analyst

  • Rockville, MARYLAND, United States
  • Full-time
  • Department: IT

Company Description

Our Mission

Aurinia exists to make a difference in transforming people’s lives by delivering innovative treatments to patients living with serious, rare autoimmune and inflammatory diseases. From the earliest days of the company, we’ve applied an inventive, thoughtful, and responsible approach to developing therapies for people in need. Through our dedication, we relentlessly preserve and execute with integrity to reach our main objective, to improve patients’ health.

In addition to driving adoption of our approved therapy, LUPKYNIS™, for appropriate people with lupus nephritis, we are also actively pursuing a broader portfolio of innovative drugs for autoimmune disease.

Our strategy leverages the skills and knowledge of our incredible team and our deep experience in principled drug development and commercialization. Aurinia provides a working environment where individuals can thrive in a professional, creative, and inspirational atmosphere. Together, we are driven to make an impact for our patient communities as advocates and partners in innovation.

Job Description

The Senior Information Security Analyst is a member of the IT Operations team and works closely with the other members of the IT team and other business areas to develop and implement a comprehensive information security program. This includes defining security policies, processes, and standards. The security analyst works with the IT department and managed service providers to select and deploy technical controls to meet specific security requirements and defines processes and standards to ensure that security configurations are maintained.

Primary Responsibilities

  • Works with the company’s business units and with other risk functions to identify security requirements, using methods that may include risk and business impact assessments.
  • Collaborates on critical IT projects to ensure that security issues are addressed throughout the project life cycle.
  • Researches, evaluates, and recommends information-security-related solutions, including developing business cases for security investments.
  • Liaisons with the vendor management team to conduct security assessments of existing and prospective vendors, especially those with which the organization shares intellectual property, PII, ePHI, regulated or other protected data, including: SaaS provider, Cloud as a service (IaaS/PaaS) providers, and managed service providers.
  • Evaluates the statements of work from these providers to ensure that adequate security protections are in place. Assesses the providers’ SSAE 16 SOC 1 and SOC 2 audit reports (or alternative sources) for security-related deficiencies and required “user controls,” and report any findings.
  • Oversees the installation and configuration management of security systems and applications, including policy assessment and compliance tools, network security appliances and host-based security systems by managed service providers.
  • Liaisons with the business continuity management team to validate security practices for both disaster recovery planning (DRP) and business continuity management (BCM) testing and operations when a failover occurs.
  • Researches threats and vulnerabilities and, where appropriate, coordinates action to mitigate threats and remediate vulnerabilities.
  • Participates in security investigations and compliance reviews, as requested by internal or external auditors.
  • Tracks developments and changes in the digital business and threat environments to ensure that these are adequately addressed in security strategy plans and architecture artifacts.
  • Validates that security and other critical patches to firmware and operating systems are configured and deployed in a timely fashion.
  • Facilitates threat modeling of services and applications that correlates to the risk and data associated with the service or application.
  • Ensures that a complete, accurate and valid inventory of all systems, infrastructure and applications is conducted that for assessment an included in security event monitoring solutions.
  • Coordinates with the Legal and Compliance team to document data flows of sensitive information within the organization (e.g., PII or ePHI) and recommends controls to ensure this data is adequately secured.
  • Coordinates security assessments of internal systems, applications, and IT infrastructure as part of the overall risk management practice of the organization.
  • Supports e-discovery processes to include identification, collection, preservation and processing of relevant data.



  • Degree/Diploma in an information system and/or information security related discipline.
  • 8+ years of progressive experiencing in information security roles involved with assessment, response, eradication, and recovering from security attacks.
  • Experience in SaaS system environments, particularly Microsoft 365, NetSuite ERP and Veeva Systems (QualityDocs, Training, QMS, PromoMats, CRM).
  • Working knowledge of the Microsoft Advanced Threat Protection platform.
  • Experience working in a public life sciences company supporting GxP and business systems.
  • Experience in developing, documenting, and maintaining security programs, policies, processes, procedures, and standards.
  • In-depth knowledge and understanding of information risk concepts and principles, as a means of relating business needs to security controls.
  • In-depth knowledge of risk assessment methods and technologies.
  • Proficiency in performing risk, business impact, control and vulnerability assessments.
  • Strong understanding of business applications, including ERP and financial systems.
  • Demonstrated experience in creating and maintaining strong relationships and accountability with external service providers.
  • Strong verbal and written communication skills
  • Wholistic, logical, and analytical thinker.
  • Validated Systems (e.g., Good Automated Manufacturing Practice [GAMP], Computer Software Assurance)
  • Working knowledge of Sarbanes-Oxley Act
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) knowledge
  • Working knowledge of General Data Protection Regulation (GDPR)

Preference will be given to candidates with the following certifications: CISSP, CRISC, CISM, CISA, GIAC, or CIPT.

We appreciate flexibility at Aurinia. This role is posted as Rockville, MD but as a distributed organization, we are open to fill this role in a remote capacity or out of our Victoria, BC location.

Additional Information

All candidate information will be kept confidential according to EEO guidelines