Senior Information Security Analyst - Security Testing

15 Apr 2018
18 Apr 2018
Contract Type
As part of the Information Security & Compliance Team; the analystis responsible for Security Testing, including working with BAU Teams,Programme/Project teams, Agile delivery teams, Developers,Infrastructure Engineers and DevOps teams to ensure that IT projects aredelivered securely, protecting client and employee data and ensuringcontinual compliance with Information Security policies and standards.Co-ordinate Penetration Testing and other Security Testing in support ofIn-House Development utilising Waterfall and Agile deliverymethodologies; manage remediation of identified vulnerabilities andparticipate in the full risk management lifecycle.What I need to do The analyst will be engaged in delivering IT Security TestingServices: - Manage internal security assurance for internally developedapplications within a DevOps environment- Scope penetration testing for both internal and external facingapplications with external testing providers- Manage external resources to ensure that penetration testing iscarried out to a suitable standard on time and within budget- Manage the internal vulnerability scanning programme to ensure thatscans are planned and carried out in a timely manner- Responsible for ensuring that vulnerabilities identified via internalscanning programme or external penetration testing are suitablymitigated and any residual risks are documented and formally accepted- Conduct Information Security Risk Assessments using the InformationSecurity Risk Management Process- Ensures the benefits of Information security and concept of risks isunderstood by all colleagues- Pro-actively manages security risk assessments and mitigation plans toaddress risks within agreed timescales, evaluating business impact- Provides advice and guidance associated with the planning, design,implementation and improvement of system security taking account ofcurrent best practice, legislation and regulation Ensures all projects consider the security implications throughout theproject lifecycles: - Security risks are identified early on and catered for in the solutiondesign and that the resulting implementation addresses these risks- Authorises implementation of procedures to satisfy new accessrequirements, or provide effective interfaces between users and service providers- Works with Sainsbury's Legal team to ensure Data protection regulationis supported by all IT systems and processes Reports effectiveness of information security against industrystandards and agreed KPI's, along with Security Incident Response Plans Liaises with industry and national bodies (including regulators andauditors) to ensure the appropriateness of the information securityfunction, e.g. PCI complianceHow I will succeed Projects/programmes are delivered securely Projects are compliant with the relevant standards and regulations Vulnerabilities are remediated and any residual risk is managed appropriately Customer and Colleague feedback Recognised as an Information Security SME Continuous personal development Fulfilling personal objectivesWhat I need to know Extensive knowledge of OWASP vulnerabilities, tools and methodologies Extensive knowledge of HTTP, PCI ASV and SSDLC Demonstrates extensive knowledge of good security practice coveringthe physical and logical aspects of information products, systemsintegrity and confidentiality Expert in methods and techniques for risk management, business impactanalysis, countermeasures and contingency arrangements relating to theserious disruption of IT services Expert in tools or systems which provides access security control(i.e. prevents unauthorised system access) Strong current knowledge of PCI, DPA and ISO27001What I need to show At least one of the following information security testingcertifications OSCP, GIAC, CEH, Qualys Certified Specialist Current Information Security qualifications/certifications e.g. CISSP,CISM, CRISC, CISA etc. Experience using web application vulnerability scanning tools (e.g.,Qualys WAS, IBM AppScan, HP Web inspect etc) Experience of using (SAST) Static Application security testing /SourceCode Analysis tools such (e.g. HP Fortify, Veracode, Checkmarx) Ability to work on own with minimal supervision and deliver on time to budget Ability to think methodically and logically situations, problem solveand communicate well using spoken and written word Has expert awareness of problem solving procedures used forbusiness-critical IT incidents, and a good awareness of theirimplications for a retail business Remains visible to customers as the face of IT to listen to theirconcerns and share these with others Ability to take responsibility, own the issue, resolve it (get therequired result) and recognises how individual responsibility impactsteam delivery Works collaboratively with a range of Teams/People to support thewider business needs Ability translate complex/technical issues clearly to meet the needsof the audience Ability to balance the benefits of optimised security with the cost ofproviding it, to promote the best overall interests of the businessResources available to me Team of colleagues assigned to information security managementstructured into four functional areas i.e. Standards & Compliance,Project Assurance, Security Testing and Security Operations Third Party contractors (as appropriate) to complete penetrationtesting of systems Security Product Owners, Security Architects, Technical Designers,various Working Groups including Customer, Colleague, Finance etc. Industry and national bodies (as appropriate)What decisions I can make Determine appropriate controls to remediate vulnerabilities Select the Gross and Net risk scores as part of the risk management process Significant freedom to contribute to team processes - provided by Dice AGILE, APPLICATION SECURITY, CEH, CISA, CISM, CISSP, GIAC, INFORMATION SECURITY, INFORMATION SECURITY MANAGEMENT, ISO27001, PENETRATION TESTING, RISK MANAGEMENT, SECURITY MANAGEMENT