Sr IT Security Analyst
Location: Pittsburgh, PA
Job Type: Full Time / Permanent
The Senior Information Security Analyst is a hands-on role focused on ecommerce and application development security. This role requires a broad, deep level of ecommerce experience, technical expertise, and information security experience. The Senior Information Security Analyst collaborates with staff developers, outside service providers, Information Technology, business users, and Information Security to assess and manage risk; provide software engineering security consulting and assurance; design, select and deploy technical controls to meet security and business requirements; and implement secure software engineering processes, standards, and tools. The Senior Information Security Analyst is a mentor to security team members and an escalation resource.
- Is the primary security resource that plays a key collaborative, influencing and consultative role in the ecommerce and corporate application secure software engineering life cycle.
- Drives the development, implementation, and operation of application security controls, practices, tools, and services.
- Collaborates with and guides developers, service providers, Information Technology, and business users to identify and implement security requirements and solutions:
- Solution architecture, information architecture, security architecture
- Risk assessment, threat modeling, and business systems analysis
- Security consulting to staff developers and service providers
- Application vulnerability scanning, code composition analysis, and remediation
- Penetration testing, remediation and verification
- Solution review and assurance; release management and change control
- Communication, facilitation and consensus building
- Monitors security information and event management and logs for unusual events. Identifies trends and recommends solutions.
- Reports to and advises management concerning residual risk, vulnerabilities and other security exposures, including misuse of information assets and noncompliance.
- Collaborates with management to facilitate security and compliance reviews (e.g. PCI, SOX, Audits) and address any potential exceptions.
- Collaborates on and influences the approach of critical IT projects to ensure that security issues are addressed throughout the project life cycle.
- Designs and develops security processes and procedures, and supports service-level agreements (SLAs) to ensure that security controls are managed and maintained.
- Specifies, develops and analyzes operational reports to monitor and track performance metrics are aligned with defined Service Level Agreements and security requirements.
- Specifies, researches, evaluates and recommends information-security-related hardware and software, including developing business cases for security investments.
- Serves as point of contact to solve complex problems by means of systematic and disciplined troubleshooting.
- Develops and disseminates information security operations documentation.
- Incident Detection and Response
- Provides second- and third-level support and analysis during and after a security incident.
- Guides security administrators, analysts and IT staff in the resolution of complex security incidents.
- Helps lead security investigations as incident response coordinator.
- Acts as a liaison between incident response leads and subject matter experts.
- Audit Support
- Collaborates with internal and external auditors and assessors. Receives audit findings, and manages the collection of responses and remediation plans with owners.
- Influences the information security governance process to define control recommendations that are both efficient and effective.
- Provides oversight and management of complex audit finding remediation.
- Tracks and analyzes existing and proposed security-standard-setting groups, state and federal legislation and regulations pertaining to information security. Identifies regulatory changes that will affect information security policy, standards and procedures, and recommends appropriate changes.
Education & Experience:
- Five to ten years’ ecommerce or application development security experience.
- Bachelor’s degree in information systems or equivalent work experience.
- Information security certification preferred.
- Broad and deep knowledge and understanding of information risk concepts and principles, as a means of relating business needs to security controls.
- Broad and deep knowledge of ecommerce and application development security practices and technologies.
- Broad and deep knowledge of hosted ecommerce platforms and systems integration.
- Broad and deep knowledge of software assurance principles, software assurance maturity models and frameworks.
- In-depth knowledge of risk assessment and threat modeling methods, frameworks and technologies.
- Knowledge of and experience in influencing, developing and documenting security architecture and plans, including strategic, tactical and project plans.
- Deep experience with a variety of information security systems and tools, such as Security Information and Event Management, Application Vulnerability Management, Infrastructure
- Vulnerability Management, Intrusion Detection/Prevention, Web Content Filtering, Anti-Virus/Malware and Data Loss Prevention.
- Expertise in PCI and SOX requirements.
- Accountable for attention to detail and accuracy in performing job functions and influences other team members.
- Role model for security integrity and confidentiality to information and access required to perform job duties.
- Strong analytical skills and complex problem management experience. Relies on experience and judgment to plan and accomplish goals
- Demonstrate creativity and business acumen combined with analysis, critical thinking and problem solving skills
- Comfortable facilitating risk, business impact, control and vulnerability assessments.
- Broad, deep experience in developing, documenting and maintaining security policies, processes, procedures and standards. Experience with scripting and security automation.
- Expertise in network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.
- Strong analytical problem solving skills to analyze complex security requirements and relate them to appropriate security controls.
- Ability to interact with personnel at all levels and across all business units and organizations, and to add value to business imperatives.
- Strong written and verbal communication skills.
- A strong customer/client focus, with the ability to manage expectations appropriately, to provide a superior customer/client experience and build long-term relationships.