|Description/environment:|| Candidates must be available to work on-site, 40 hours per week minimum, with no travel expenses.
Security Analyst III consultant will conduct cyber security assessments for all software and systems projects using a committee structure that combines Security and ITS. This individual will work with a team of other security analysts to perform assessments and to contribute to the development of the overall program. In addition, the individual will support ongoing risk assessments and security governance activities.
Per Project Assessments (80%)
• Perform and document security assessments for a variety of projects at various stages of the project lifecycle.
• Review design documents and interview subject matter experts to understand the architecture and design of the project deliverables and document risks and recommendations.
• Perform code review, as needed, to validate that secure software has been delivered. Document risks and recommendations.
• Perform functional security testing and abuse testing to validate that security controls were implemented as designed.
• Perform penetration tests of project deliverables and/or coordinate pen testing by third-party consultants.
• Document risk acceptances to obtain approvals for residual risks.
Program Work (20%)
• Document a decision tree to determine the specific security assessments that need to be performed on a project deliverable based on risk (i.e. pen tests may not be needed for all software).
• Enhance security assessment review templates to ensure that all analysts have clear and consistent criteria for assessments and that the process is streamlined for efficiency.
• Participate in Joint Security Assessment Review Committee (JSARC) team meetings to refine the program.
• Review the assessments of other security analysts as part of the JSARC and vote on the assessments and recommendations.
• Support the risk assessment process in line with ISO 27001 information security management system.
• Support the review of security controls for overall adherence to ISO 27001, NERC-CIP, and SSAE-16 requirements.
• Five or more years of professional experience in information security.
• Experience performing tabletop/paper-based security assessments.
• Hands-on penetration testing experience is preferred.
• Bachelor’s degree in computer science, information systems, information assurance, or a related field.
• Advanced degree preferred.
• Security certifications – CISSP and CEH preferred