Title: Security and Privacy Professional
Reports to: CIO
Salary: DoE
POSITION SUMMARY
This position resides within theDigital Servicesgroup ofCLIENT. TheSecurityand PrivacyProfessional,in close partnership with the CIO and CISO, overseesand coordinates day-to-dayactivityrelated to information securityand privacyoriented initiatives,policies, standardsand proceduresthroughoutthe organization.The SecurityandPrivacy Professionalis responsibleforplanning,influencing,and coordinating the company's information securitypolicies, setting procedures and guidelinesto ensure that all information systemsare functional,secureand safeguarded throughoutthecompanyand arein compliancewith privacyand information securitylaws and regulationsapplicable to retail institutions.Additionally,the Securityand PrivacyProfessionalis responsible for providing leadership during securityevents,as wellas ensuring the technicaland administrativesupport forthe developmentofDisasterRecoveryandBusiness Continuity programs for the company. The incumbentinterfaces with theInformation and Digital
ServicesCore IT Operationsteam on matters of securityand privacyoperationalcontrols. In addition, theincumbentacts as an internal consultant and to the organizationon issues involving securityand privacy.
RESPONSIBILITIES
- Work to determine acceptable risk levels for the enterprise and ensure that the IT environments are adequately protected from potential risks and threats
Participate in development and implementation of the appropriate and effective controls to mitigate identified threats andrisks
Assist in tactical follow-up on detected security issues and drive the design and implementation of solutions to reduce security risks
Drive theresearch, development,and communicationaroundSecurityand Privacy matters,by maintaining and workingwith theoperationalunits on the enforcement ofIT securityarchitecture,policies,procedures, solutionsand standards
Participate in and provide specific IT security oriented leadership during incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary
Keep abreast and advise the company with regard to the latest industry security and privacybest-practicesand technologies
Coordinate with Business Owners to analyze, document and define requirements associated with new development or maintenance and enhancements to existing securityrolesand permissions.
Deliver services that meet regulatory specifications. Work with internal and external auditors to document and confirm that all security administrative duties are properly performed as well as demonstrate overall compliance .
Qualifications A minimum of 5 years operational and strategic experience in IT controls and information security, IT compliance, networking security or IT audit is required.
Artifact management experience including the development and maintenance of Policies, Standards, and other supporting documentation. Ability to document and maintain the details of IT remediation projects, committee meetings, and the findingsof security testing and assessmentprojects.
Operational experience with IT compliance requirements and processes, especially PCI DSS and adjacent PCI industry controls, mitigations, and incidentresponses.
Operational experience in the inventory and classification of IT assets, and the update and maintenance thereof
Access control and identity management experience, including the principles and management of access to network infrastructure, server platforms, Active Directory domains, and databases. Ability to provide subject matter expertise in the areas of configuration management and maintenance of access control and assessment of access for these systems. Knowledge of RADIUS, LDAP, and Cloud SSO solutionsis a plus
Skilled in the principles and management of key management and encryption systems, for information in transit and at rest. Extensive knowledge of both symmetricandasymmetriccryptographic systems
Demonstrateextensiveexperiencewithvulnerability management
Education 4-yearcollegedegree or demonstratedequivalentexperiencewith appropriate time-in-role,with subject matter majorsin ComputerScience, Information Management, Information Securityor equivalentdisciplines
A SANS, CISSP or other equivalent industry-recognized Security certification is required.
Additional certifications in IT audit or IT controls design and management are preferred
CObIT and/orITIL certifications, education, or equivalent experiencewith controland operationalframeworksa strongplus
Technical Skills Information securityassessmentand auditingprocedures, fromboth technicaland business perspectives,and theuse of formalmethodologiessuch asNSAIAM
- Vulnerability sanning and auditing tools
Enterprise-scalenetwork and host-basedIDS architectures Enterprise-scale firewallarchitectures
E-commerceapplication security
Computer investigation and forensics methods and technologies Secure messaging architectures
Strong Knowledge of regulatory bodies, and the regulations and guidance issued by these bodies
Strong knowledge of control and privacy laws and standards, such as GLBA, 581386, SOX and PCI
Must possess strong project management and leadership aptitude; demonstrated professionalismin managingmultipleprojectsandresources effectively.
General Knowledge andAbilities Experience with PKI certificate management and root certificate repositories Workingexperiencewithpenetration testing
- Experience working in a SaaS oriented Cloudenvironment Project Management experience
Strongcommunicationandfacilitation skills
PhysicalRequirements Office based professional,no physicalrequirements