JOB PURPOSE: Working with various IT and business teams, act as the lead technical subject matter expert on all security matters within the company. Design, deploy, administer and maintain information security systems/architecture utilizing a thorough understanding of available technology, tools, and techniques. Evaluate, implement, and maintain security standards and practices with direction from Information Security Leadership.
- Ensure that all systems, applications, endpoints, and networks have appropriate and adequate security controls in place, and create structures to ensure the ongoing maintenance and effectiveness of these controls.
- Provide leadership and security expertise to project design, development, testing and deployment teams to ensure that all applications meet security requirements and are coded in a secure manner.
- Gain widespread support and compliance with information security requirements & standards. Regularly monitor compliance through log reviews; respond to intrusion alerts, etc.
- Serve as the technical lead/technical subject matter expert on the Incident Response Team in responding to various security incidents such as denial of service attacks, virus/worm infestations, security breaches and questionable internal activities.
- Working with IT Leadership and the Security Architecture group, research, recommend, and evaluate commercial information security products and services to determine which of these should be adopted by or tested by the company.
- Provide special technical guidance and recommendations to co-workers about the risks and control measures associated with new and emerging information system technologies as needed.
- Participate as the lead technical subject matter expert in periodic information systems risk assessments and code reviews, including those of new or significantly enhanced business applications and their underlying supporting infrastructures.
- Assist in the preparation and periodic update of information security policies, architectures, standards, reports and other technical requirements documents needed to enhance security.
- Assume leadership roles in the development of detailed proposals and plans for new information security systems that would reduce operational risk, augment the capabilities or enable new capabilities for the company.
- Assist with the research, evaluation, selection, installation, configuration and adoption of automated tools that enforce or monitor the compliance with information security policies, procedures, standards, and similar information security requirements.
- Identify and determine causes of security violations and verify/assist in the corrective actions to assure data and application security.
- Interact with internal and external auditors as needed to ensure regulatory and policy compliance.
- Bachelor’s degree in related field preferred.
- At least seven or more years relevant work experience.
- Experience implementing and operating technologies such as Websense, Tipping Point, Blue Coat, Cisco IOS, IDS/IPS, anti-virus software, advanced anti-malware prevention, and MS Windows Server, Unix/Linux systems, Windows desktop systems and Mac O/S. Knowledge of mobile (phone and tablet) device security and application security is also required.
- Demonstrated understanding of security business controls, strategies, and methodologies as well as knowledge and experience with at least some of the following technologies; firewalls; intrusion detection; directory services; web access controls; advanced authentication methods; public key infrastructure (PKI); VPN; TCP/IP; anti-virus, single sign on; and audit; diagnostics, and forensic tools.
- Must be competent to work at a high technical level of all phases of architectural design and implementation by processing a broad understanding of networks, computers, communication systems, threats and vulnerabilities and their interrelationships.
- Must have extensive experience with the current regulatory environment including as Sarbanes-Oxley, PCI-DSS, GLBA, etc.
- Must be able to prepare and present detailed technical documents and presentations as needed.
- Experience working with Agile development methodologies and teams is necessary.
- Extensive knowledge and hands-on experience with secure web application architecture, design, and coding techniques is required.
- Strong background in data protection via PKI and various other encryption methods.
- Experienced in creating secure & compliant services and applications supporting a range of regulations, including but not limited to, PCI-DSS and PABP, SOX, FACTA & FACTA “red flags” provisions, US state data privacy, and GLBA.
- Expert in secure user authentication and authorization, multi-factor access controls, and role-based access controls (RBAC).
- Experienced with using the Open Web Application Security Project (OWASP) and CEW/SANS web security standards to design and build secure web sites and applications
- Experience conducting code reviews in Perl, Python, Ruby, Java, Java Swing, HTML, XML, CSS, ASP, ASP.NET, Cold Fusion, Oracle, T-SQL, SQL and/or other languages .
- Hands-on experience using enterprise web scanning tools (Nexpose & AppScan experience preferred).
- Knowledge of threat modeling or other risk identification techniques.
- Able to write security test cases and misuse cases for QA teams.