Reporting to the Chief Information Security Officer, Information Security Analyst will be the hands-on analyst conducting day to day monitoring of complex information security systems across multiple cloud environments. Additionally, the Information Security Analyst will serve as the primary information security compliance lead and liaison.
Work with Information Security and application development experts to collaboratively define, implement and document the baseline security requirements, security architecture and engineering standards and guidelines for delivering secure architecture and design. Conduct audit of existing application code and recommend industry best practices in the area, as well as, having the capability to analyze multiple instances of vulnerability patterns that can be traced to single root causes to eliminate existing risks. Conduct audits of production and development systems for potential vulnerabilities. Perform security penetration and vulnerability testing against applications and infrastructure. Perform information security policy and procedure reviews and develop information security methodologies and guidelines. Ensure existing application security controls in place are adequate or identify those that require improvement. Provide security consulting services to other application and IT teams. Support application security initiatives to ensure the software applications do not pose information risk to the company.
Duties and Responsibilities:
- Auditing security strategies, processes, and best practices for compliance with security regulations and frameworks, specifically HIPAA and HITRUST CSF
- Maintaining audit records and tracking security metrics for continuous reporting and monitoring requirements
- Vulnerability Management and tracking
- Application specific open source and proprietary tools
- Mobile specific tools
- Multiple operating system scanning and remediation
- Patching and remediation tracking and stewardship
- Participating in periodic audit programs to confidently assert internal controls and drive IT solutions
- Consulting with IT peers and leadership to improve control efficiencies and operating effectiveness
- Driving remediation efforts and working with company stakeholders
- Partnering with various internal departments to obtain and review evidence of compliance
- Encouraging business owners using diplomacy and tact in all interactions
- Tracking and reporting findings, and working with teams to remediate and mitigate risks
- Planning and performing internal audits to assess control design and effectiveness
- Administering or assisting in all security services and projects, and acting as a Security Compliance point of contact for all departments
- Co-Authoring / updating and facilitating the testing of Contingency / Business Continuity/ Disaster Recovery Plans
- Co-Authoring and maintenance of Risk Assessments
- Reviews configurations, monitors and actions Palo Alto Networks Next Generation Firewalls (NGFW).
- Creates confidential bi-monthly summary reports of enetrprise- wide Information Security vulnerabilities and remediation progress.
- Remains current and fluent with industry best practices (e.g., NIST, etc.) and emerging threats.
Desired Knowledge, Skills and Abilities:
- Expertise in web applications assessment using tools such as Rapid 7 InsightVM, Greenbone, Nessus, Nexpose, and open source tools.
- Understanding of application architectures
Experience in security assessment against NIST, HIPAA, HITRUST, OWASP, PCI,
- GLBA, ISO, and other standards
- Knowledge of current and emerging threats and industry frameworks for vulnerability analysis and reporting
- Strong verbal, written, and interpersonal skills
- Demonstrate ethical behaviors, the ability to recognize and deal appropriately with confidential and sensitive information, and maintain the highest levels of confidentiality
- Strong experience with cloud services - AWS preferred
- Linux/Unix/Windows systems and servers experience in
- Familiarity with Docker containers, working experience a plus
- Familiarity with Microservices architecture, working experience a plus
- Experience with continuous integration tools, such as Bamboo and Jenkins
- Experience with configuration management tools such as Ansible, Chef, or Puppet
- Knowledge of SQL, and non-relational (NoSQL) databases
- Knowledge of networking, firewalls, load balancers etc.
After hours on-call support occasionally required.