Technical Security Policy Engineer
Posted on Nov 12, 2018 by Request Technology - Kyle Honn
Technical Security Policy Engineer
- Serve as a subject matter expert for Information Security, consulting to technical management (serving on project teams, discussing application and systems architectures, etc), non-technical management (educating the user community on information security) and attorneys (eg litigation-related technical education) as necessary.
- Security Awareness: assist in coordination of the program, including development of awareness content, scheduling of awareness activities and measuring progress of the program.
- Vulnerability Management: collect information on emerging threats including software vulnerabilities. Coordinate triage of and response to vulnerability information. Disseminate this information regularly to firm staff and management as appropriate.
- Participate in long-term strategy and planning for Information Security
- Manage and support GRC technology and Security Governance solutions. Create and maintain system, procedural and support documentation.
- Manage and support the 3rd Party Security Vendor Risk Management program and life cycle.
- Document and perform Risk Assessments for third-parties (eg, vendors and service providers). Respond to security assessments, questionnaires and audits from clients and third-party business partners.
- Create and maintain security policies, standards, processes and guidelines for approval by Firm management. Evaluate exception requests and make approval recommendations to management.
- Preferred candidate will have one or more of the following certifications:
- Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), or other relevant training and certifications
- Solid experience with Anti-Malware and AEP technologies, Encryption, Incident and Event Management, Web Filtering, IDS/IPS, Firewalls, Vulnerability Management, Privileged Access Management.
- GRC tool management: Administration, Engineering or both
- Ability to perform as primary Security SME.
- Ability to facilitate project and vendor risk assessments with relative independence and provide guidance on secure design and operation.
- Knowledge of data encryption technologies.
- Strong knowledge of Intrusion Detection and Intrusion Prevention technical capabilities.
- Knowledge of web filtering and email SPAM prevention techniques.
- Knowledge of vulnerability assessment and forensic investigations tools.
- Knowledge of mobile device security and Mobile Device Management solutions
- Knowledge of Privileged Access Management technologies
- Windows Authentication and Active Directory integration
- Ability to complete and assist in completing client security questionnaires and security assessments concerning the Firm's security program and controls.
- Ability to communicate an effective security awareness message throughout the organization.
- Demonstrate ability to create and maintain security policy, standard, guideline and procedure documents.
- Demonstrate ability to effectively communicate deeply technical topics at an appropriate level of detail to varied audiences - including IT Subject Matter Experts, senior management and non-technical users
- Strong knowledge on Security frameworks and technologies such as ISO 27001, NIST, SOC, SIG
- Experience (Administration or Engineering) in GRC platforms
- Broad awareness of and exposure to diverse security tools and their capabilities, including commercial and open-source options.
- Strong knowledge of risk management principles and practices.
- Strong knowledge of security administration and role-based security controls.
- Strong knowledge and use of GRC platforms.
- Knowledge of host and network-based anti-malware technologies.
- Knowledge of authentication technologies and interactions between diverse authentication platforms, both on-site and remote.
- Knowledge of client and server Firewalling technologies, including configuration and administration.
- Knowledge of Intrusion Detection and Prevention solutions, including configuration and administration.
- Knowledge of security event management (SIEM), event correlation and analysis technologies.