Information Security Analyst (PCI)Information Technology Dallas, Texas
Summary of Responsibilities:
The Senior Consultant – Information Security leads first line of defense IT Security services, consultation, leadership and subject matter expertise to SC businesses and functions on Information Security related matters. They review, design and develop security operational processes, standards, and procedures utilizing current and new technologies to improve security controls and business performance. The Senior Consultant – Information Security leads strategic information security direction that is aligned with corporate business objectives and regulatory requirements.
- Subject Matter Expertise – Leads as information security subject matter expert to business areas, project teams and vendors to apply and execute appropriate use of technology solutions and leads efforts to examine technology vision, opportunities and challenges with regard to security standards and the impact of the technology.
- Security Trends – Continually works to enhance breadth and depth of knowledge and experience. Benchmarks technology strategies and architectures. Monitors and anticipates trends and investigates organizational objectives and needs. Provides guidance on security solutions and prepares benchmarking reports and presentations.
- Project Oversight – Assesses project risk and complexity. Oversees project handoffs including preparing documentation, educating and supporting to ensure smooth transitions. Leads the selection and design of tools that allow reuse of design components and patterns between projects.
- Vendor/Tool Selection – Leads the research, evaluation, proof-of-concept, selection and implementation of technology solutions. Negotiates with vendors. Provides detailed analysis of pros and cons and build vs buy options. This includes interaction with vendors, IT and business area contacts to facilitate flexible, and scalable solutions. Ensures that the technical design considers security controls, performance, confidentiality, integrity, availability, access and total cost. Oversees working solutions or prototypes and resolves any issues that arise.
- Strategy & Architecture – Leads security strategy, architecture and tools in accordance with company standards, policies, procedures and other formal guidance, ensuring security technology standards and best practices are maintained across the organization.
- Process Improvement – Promotes implementation of new technology, solutions and methods to improve business processes, efficiency, effectiveness and value delivered to customers. Oversees operational, architectural and design documentation including procedures, task lists, and architecture blue prints.
- Information Security Risk Management – Matures information security risk management processes, program and strategy. Aligns information security activities with PCI, SOX, and GLBA regulatory requirements and internal governing enterprise risk management policies. Identifies security gaps and deficiencies by conducting risk assessments; recommend corrective action of identified vulnerabilities and weaknesses. Leads the planning, testing, tracking, remediation, and risk acceptance for identified security risks. Oversees the creation and publication of internal controls. Ensures requisite compliance monitoring is in place to identify control weaknesses, compliance breaches and operational loss events. Ensures adequate compliance resources and training, fostering a risk and compliance focused culture and optimizing relations with corporate compliance members and regulators.
- Due Diligence – Leads enterprise due-diligence activities including security monitoring and security metrics to evaluate effectiveness of the enterprise security program and established controls.
- Incident Response – Leads security incident response activities and post-event reviews of security incidents. Ensures the clear and professional documentation of root cause and risk analysis of all findings. Reviews and leads action plans for issue resolution. Leads investigation and reports contribution of security threats and incidents.
- Secure Application Development – Leads highly technical/analytical security assessments of custom web applications, mid-tier application services and backend mainframe applications, including manual penetration testing, source code and configuration review using a risk-based intelligence-led methodology. Identifies potential misuse scenarios. Advises on secure development practices.
- Secure Testing – Oversees security testing projects according to a structured process, including writing test plans, test cases and test reports. This may include configuration and deployment of security testing software and application of results to security analysis. Leads basic proof-of-concept exploits of vulnerabilities.
- Mentoring – Interfaces with peers and senior leadership, communicates at all levels. Provides guidance to less experienced Information Security team members.
The ideal candidate will possess the following:
- Bachelor’s degree in Information Security, Information Technology, Information Systems Management, Computer Science, Engineering or related field(s) or equivalent demonstrated work experience.
- 6-10 years of IT experience that includes at least 5 years in information security and 2 years in management
- Strong working knowledge of:
- Windows-based platforms, application and TCP/IP network security technologies
- Information security concepts, principles and components of a comprehensive information security program
- Application Security concepts including common application security issues such as OWASP Top 10
- Control frameworks and control objectives
- Strong, demonstrable aptitude for and interest in information and application security
Work Environment Characteristics
- Self-motivated and results-oriented, including ability to prioritize conflicting demands.
- Exceptional organizational skills to balance work and lead projects.
- Demonstrable leadership and interpersonal skills with experience in mentoring team members
- Strong initiative, consensus-building and ability to collaborate directly and build strong relationships with a variety of internal and external stakeholders (business, development, compliance, etc.)
- Strong written communication (writing sample may be requested) and professional verbal communication skills, experienced facilitator and presenter
Ability to adapt and apply information to new scenarios and technologies.
Additional Preferred qualifications:
- Relevant professional certifications or working towards attainment such as: GCIH/GSEC, CISM, CISA, CISSP, CRISC
- Advanced knowledge of common web technologies, enterprise and network architecture
- Strong understanding of:
- modern security tools and controls
- secure development life cycle methodologies
- programming languages or other scripting languages
- web-based application architectures (IIS, Apache, etc.)
- financial industry regulations such as GLBA, PCI, and SOX
- application protocols such as MS-SQL, LDAP, and SSO
- data protection controls
- applied use of cryptography
- Advanced knowledge of or demonstrated experience with defense in depth, trust levels, privileges and permissions
- Advanced knowledge of or demonstrated experience in application penetration testing
- Advanced knowledge of and experienced development of mainframe and Unix platforms
- Large complex multi-national Financial Services industry related experience
Major Challenges and Role Context:
- Fast paced environment requiring execution of multiple simultaneous deliverables.
- Indirect reporting structure with conflicting deliverables and timelines.
- Influence stakeholder compliance of regulatory standards while managing deadlines.
- Dallas based position (with limited telecommuting).
- Minimal travel required (<15%), Domestic
- Support 6500+ users across North America.
- Extended working hours may be required as dictated by management and business needs.
- May be required to lift, push, or pull materials weighing up to twenty (20) pounds.
- May be required to sit and review information on a computer screen for long periods of time.
- May require repetitive motions of the hands and wrist related to writing and typing at an electronic keyboard.
This job description does not list all the duties of the job. You may be asked by your supervisors or managers to perform other duties. You will be evaluated in part based upon your performance of the tasks listed in this job description.
The employer has the right to revise this job description at any time. This job description is not a contract for employment, and either you or the employer may terminate employment at any time, for any reason.