Sr Information Security Analyst – Defensive Security
Location: Pittsburgh, PA
Job Type: Full Time / Permanent
The Senior Information Security Analyst is a hands-on role focused on defensive security. This role requires a broad, deep level of ecommerce experience, technical expertise, and information security experience. The Senior Information Security Analyst collaborates with Information Technology leaders, architects, engineers, and administrators; outside service providers; business users; and Information Security to assess and manage risk; provide system, network, and data security consulting and assurance; design, select and deploy technical solutions and controls to meet security and business requirements; and implement secure system engineering processes, standards, and tools. The Senior Information Security Analyst is a mentor to security team members and an escalation resource.
- Is the primary security resource that plays a key collaborative, influencing and consultative role in system, network, and data protection and secure system engineering lifecycle.
- Drives the development, implementation, and operation of application security controls, practices, tools, and services.
- Collaborates with and guides Information Technology leaders, architects, engineers, and administrators; outside service providers; business users; and Information Security to identify and implement security requirements and solutions:
- Solution architecture, information architecture, security architecture
- Risk assessment, threat modeling, and business systems analysis
- Vulnerability management
- Malware and endpoint protection
- Enterprise Data Loss Prevention
- Intrusion Prevention
- Security consulting to staff and service providers
- Penetration testing, remediation and verification
- Solution review and assurance; release management and change control
- Communication, facilitation and consensus building
- Monitors security information and event management and logs for unusual events. Identifies trends and recommends solutions.
- Reports to and advises management concerning residual risk, vulnerabilities and other security exposures, including misuse of information assets and noncompliance.
- Collaborates with management to facilitate security and compliance reviews (e.g. PCI, SOX, Audits) and address any potential exceptions.
- Collaborates on and influences the approach of critical IT projects to ensure that security issues are addressed throughout the project life cycle.
- Designs and develops security processes, procedures, and supports service-level agreements (SLAs) to ensure that security controls are managed and maintained.
- Specifies, develops and analyzes operational reports to monitor and track performance metrics are aligned with defined Service Level Agreements and security requirements.
- Specifies, researches, evaluates and recommends information-security-related hardware and software, including developing business cases for security investments.
- Serves as point of contact to solve complex problems by means of systematic and disciplined troubleshooting.
- Develops and disseminates information security operations documentation.
- Depending on the scope of the role, the Senior Information Security Analyst may be asked to fulfill one or more of the following duties.
- Provides second- and third-level support and analysis during and after a security incident.
- Guides security administrators, analysts and IT staff in the resolution of complex security incidents.
- Helps lead security investigations as incident response coordinator.
- Acts as a liaison between incident response leads and subject matter experts.
- Collaborates with internal and external auditors and assessors. Receives audit findings, and manages the collection of responses and remediation plans with owners.
- Influences the information security governance process to define control recommendations that are both efficient and effective.
- Provides oversight and management of complex audit finding remediation.
- Tracks and analyzes existing and proposed security-standard-setting groups, state and federal legislation and regulations pertaining to information security. Identifies regulatory changes that will affect information security policy, standards and procedures, and recommends appropriate changes.
Education & Experience:
- Five to ten years’ defensive security experience.
- Bachelor’s degree in information systems or equivalent work experience.
- Information security certification preferred.
- Broad and deep knowledge and understanding of information risk concepts and principles, as a means of relating business needs to security controls.
- Broad and deep knowledge of defensive security frameworks, technical solutions, and leading practices.
- Broad and deep knowledge of system and network engineering and systems integration.
- In-depth knowledge of risk assessment and threat modeling methods, frameworks and technologies.
- Knowledge of and experience in influencing, developing and documenting security architecture and plans, including strategic, tactical and project plans.
- Deep experience with a variety of information security systems and tools, such as Security Information and Event Management, Application Vulnerability Management, Infrastructure Vulnerability Management, Intrusion Detection/Prevention, Web Content Filtering, Anti-Virus/Malware and Data Loss Prevention.
- Expertise in PCI and SOX requirements.
- Accountable for attention to detail and accuracy in performing job functions and influences other team members.
- Role model for security integrity and confidentiality to information and access required to perform job duties.
- Strong analytical skills and complex problem management experience. Relies on experience and judgment to plan and accomplish goals
- Demonstrate creativity and business acumen combined with analysis, critical thinking and problem-solving skills
- Comfortable facilitating risk, business impact, control and vulnerability assessments.
- Broad, deep experience in developing, documenting and maintaining security policies, processes, procedures and standards. Experience with scripting and security automation.
- Expertise in network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.
- Strong analytical problem-solving skills to analyze complex security requirements and relate them to appropriate security controls.
- Ability to interact with personnel at all levels and across all business units and organizations, and to add value to business imperatives.
- Strong written and verbal communication skills.
- A strong customer/client focus, with the ability to manage expectations appropriately, to provide a superior customer/client experience and build long-term relationships.