Sr. Information Security Analyst

Description: This position will be responsible for scheduling and performing quarterly vulnerability scans using Metasploit and Nexpose. The security engineer will need to take the output from the scans and compile it into a document that will be reviewed each quarter in order to determine what vulnerabilities need to be corrected. They will submit the request to the correct group and then track the status until completion (vulnerability correction). They will also coordinate third-party vulnerability scans.

The ideal candidate has strong security experience with a background in networking that enables them to interpret scans and understand how remediation will be accomplished in technical terms.

Our client is looking to move toward their ISO 27002 certification. There is quite a bit of documentation and policy that will need to be created or modified in order to get to this level. This person will be responsible for documenting the processes and putting the policy and procedures together if it does not formally exist. A gap analysis will need to be performed initially in order to identify which items are missing for certification, and then a plan put together to achieve certification.

PCI compliance is another project that will fall to this person’s responsibility. They will need to understand the requirements for PCI and communicate what that means for the client’s environment in order to meet compliance.

This position will not be responsible for configuring network devices or firewalls and will not have write access to these devices.

Required:

• Policy/procedure experience  (PCI and ISO 27001/27002)
• Metasploit experience
• Nexpose experience
• SIEM (client has McAfee so that would be preferred)

Essential Duties:

• Provides technical guidance regarding risks and control measures associated with new and emerging technology.
• Prepares and periodically updates information security policies, architectures, standards and /or other technical documents to ensure all resources are adequately protected.
• Interprets information security policies, standards and other requirements as they relate to internal information systems.
• Assists in the selection, installation, and adoption of automated tools that enforce or monitor the compliance of information security policies.
• Participates as a technical advisor for a variety of ad-hoc information security projects as dictated by business and technology developments.
• Recommends new approaches that allow greater standardization and more effective management of information security.