Compliance & Security Analyst
Posted on Sep 21, 2019 by Independent Software
Compliance & Security Analyst
Location: Fort Washington, PA
Duration: Direct Hire
As the Compliance & Security Analyst, you will be responsible for developing, implementing and administering plans, policies, techniques, and services ensuring ongoing compliance and security of company information resources. You will perform a security advocacy role and act as a liaison with business units for issues related to information security and ongoing compliance maintenance.
Responsibilities to include:
- Achieves compliance for PCI and SOX by coordinating and managing the actions of teams across the organization and being the primary liaison between internal/external auditors and all business stakeholders.
- Identify and document security vulnerabilities and weaknesses in the environment such as unauthorized access potential, non-compliance with defined standards, etc.
- Assist in the development of appropriate information security policies, standards, procedures, checklists, and guidelines using generally-recognized security concepts tailored to meet the requirements of the organization.
- Perform and/or respond to information technology assessments, penetration tests, and/or audits of organizational automated systems and processes, interpret results, and develop and communication recommendations for improvement to management.
- Provide security awareness training to organization employees. Perform and manage an internal Continuous Compliance Monitoring Program
- Lead coordination of any IT security related incidents and be the point of escalation for enterprise security incidents.
- Assist with incident response thru the life cycle.
- Develop, maintain, report on security program metrics to measure program effectiveness.
- Perform and manage Supplier Risk Assessments
- Review and verify security patch processes.
- Performs product evaluations, recommends and implements enterprise security products/services.
- Validates and tests security architecture and design solutions to recommended vendor technologies.
- Proficient in the use of Word, Excel, Project and Visio
- Assist manager/director in planning, time budgeting and scheduling work for completion.
- Provides threat management overview for Firewalls, intrusion detection systems, enterprise anti-virus and log monitoring tools.
- Responsible for reviewing and approving corporate, PCI In-scope Firewall requests and WAF changes; perform WAF tuning as necessary.
- Monitor, report, and aid in the resolution of all security-related problems and discrepancies.
- Manage SIEM and in coordination with vendor SOC, ensure sufficient coverage to monitor PCI, PII, and all other assets storing, processing, transmitting company confidential/sensitive data. Ensure alerts from current and future systems are properly designed and monitored.
- Manage internal/external vulnerability management program and as appropriate expand scope of vulnerability scans, application/network penetration tests to cover enterprise and all systems/environments storing, processing, transmitting company confidential/sensitive data.
- Monitor appropriate sources for newly identified vulnerabilities, evaluate the risk such vulnerabilities pose to the organization's information and systems, and advise management of appropriate measures to eliminate or reduce the organization's risk or exposure to such vulnerabilities.
- A Bachelor's degree in Computer Science, Information Security Management, Engineering or equivalent is required.
- 2-5 years' experience in Information Security is desired, preferably in Ecommerce/Retail environments.
- Strong experience with IT security standards and best practice frameworks. (like ISO 27001/27002, NIST, ITIL, PCI, SOX, HIPAA, FISMA, etc).
- Ability to work with subject matter experts, vendors, and 3rd party MSSP to coordinate activities to complete compliance/security related projects or tasks in a timely manner.
- Experience with network and application vulnerability scanners. (like Qualys, Nessus, Nmap, AppScan, Burp, OWASP, ZAP).
- Experience with GRC tools
- Experience with IP Networking, networking routing protocols and understanding of security related technologies including encryption, IPsec, PKI, VPNs, Firewalls, WAF devices, Proxy services, DNS, email, Active Directory, LDAP, and access-lists.
- Knowledge of hardening concepts and audit for Unix, Linux, Windows Servers and desktop systems.
- Knowledge of common application vulnerabilities, current threat vectors and mitigations.
- Knowledge of IP protocols, networks, security architectures and security threats.
- Knowledge of Internet and web application security techniques. (like SANS, OWASP).
- Security certifications like CISA, CISSP are highly desirable.