The Data and Application Security Analyst is a first line of defense position focused on the safeguarding consumer and company systems and data. Primarily responsible for the implementation and maintenance of all ECS Data Handling & Application security requirements, and maturing related technology and processes. This is a hand's on position that works very closely with development & operations teams, product owners, and other groups. It requires someone who has had application development and coding experience, combined with a good understanding of Information Security, Secure Coding, and Segregation of Duties principles. The individual must be passionate about helping others, mentoring and training the people around them. The Analyst will conduct reviews of Cloud & Network infrastructure, Systems infrastructure, Application configurations, and Software Code reviews.
* Develop, assess and enforce Segregation of Duties and Least Privilege Access security principles and best practices across data processing environments.
* Review application security controls, data handling processes and designs prior to live implementations of new features or products; identify data and application security risks and requirements for new projects and system developments.
* Lead application development teams through threat modeling exercises.
* Collaborate to develop security test plans and integrate them into the software development lifecycle.
* Monitor and proactively report on current threats and vulnerabilities to data and application security.
* Conduct assessments of application tools and technologies.
* Evangelize secure data management and code development practices internally.
* Desired Work Experience: 2-4 years in IT security role, 1-3 years coding experience (Java, .Net, PHP desired). In depth knowledge of application security vulnerabilities, testing techniques, and the OWASP framework. Excellent understanding of Cloud, network and general technical security controls required.
* Strong IT / IT Security / Architecture background.
* Cloud Technology and Security experience desired.
* Membership and active participation in security organizations, such as OWASP, ISSA, and SANS is preferred.
* CEH, CISSP and/or CCSP certification preferred.
* Knowledge of IT Risk and Security governance.
* Understanding of risks in financial services sector preferred.
* Strong understanding of cryptographic algorithms and protocols. Symmetric/asymmetric encryption, hashing, SSL/TLS, IPSec, PGP, S/MIME, SSH, PKI.
* In depth understanding of secure web application development, Java, .Net, C#, web services and in depth knowledge of modern-day database/datastore architectures and query languages.
* Understanding of Agile Scrum development methodologies.
* Networking hardware - routers, switches, load balancers, next generation firewalls, etc.
* Access control using AD, LDAP, JWT, SAML, Oath.
* Data Access Monitoring (DAM)
* Web Application Firewalls
* IPS technology
* Vulnerability Management & Vulnerability Scanning (Qualys, Burp Suite, Nessus, etc.)
* Working experience with IT policies, procedures, and standards.
Work under general supervision. Follows established procedures. Work is reviewed for soundness of judgment, overall adequacy, and accuracy.
* Communicates effectively in English in written and verbal form
* Write reports with correct grammar, punctuation, spelling and good structure
* Read, analyze, and interpret complex, technical and business documents
* Recommends solutions for defined processes
Documentation & Presentation Skills
* Effectively presents information, ideas, perspective to peers, team members and managers and responds to questions
* Speaks effectively one-on-one and in small group situations
* Reads and analyzes technology journals and interprets documents, such as technical reports and instructions
* Follows documentation requirements
* May need guidance with presenting data
* Provide solutions to a variety of technology problems of moderate scope and complexity
* Collaborates and communicates effectively in team environment, contributing to team's results
* Accepts direction, listens to and considers others' ideas/concerns
* Develops and maintains good working relationships with internal and external contacts
* Maintains confidentiality for all technology projects and areas of business development
* Works on difficult research projects of limited scope
* Identifies problems in defined area, generates alternatives and recommends solutions
EOE including Disability and Veterans.