Information Security Analyst - 18000DA7
In a nutshell
As part of the Information Security Development and Project Assurance Team; responsible for working with Programme/Project teams, including Security Architects, Technical Designers and Product Owners to ensure that IT projects are delivered securely, protecting client and employee data and ensuring compliance with Information Security policies and standards. Co-ordinate Penetration Testing and other Security Testing in support of In-House Development utilising Waterfall and Agile delivery methodologies; manage remediation of identified vulnerabilities and participate in the full risk management lifecycle.
What I need to do
• As an Information Security Analyst, work on a number of projects under the supervision of Senior Analysts/Information Security Projects Assurance Lead.
• Provide end to end engagement on a wide range of IT projects ensuring that security is built in, they deliver securely and client and employee data is protected.
• Attend Programme/Project meetings and represent Information Security, giving advice as required.
• Review architectural and design documents including Solution Outline Documents, Detailed Designs, Network Diagrams, Data Flow Diagrams etc.
• Define Security Non Functional Requirements for each project and ensure that they are fulfilled prior to going into service.
• Ensure the relevant technology standards are applied to specific projects.
• Produce resource estimates for Information Security engagement on projects and record your time on the current resource management tool.
• Manage external resources to ensure that penetration testing is carried out to a suitable standard on time and within budget.
• Scope and manage Penetration Testing including the production of a plan to remediate vulnerabilities identified during any tests in a timely manner.
• Liaise with the Information Security Testing Team to ensure that Code Reviews, Application Scanning and Infrastructure Scanning is conducted in support of In-House Development utilising Agile delivery methodologies.
• Responsible for ensuring that any vulnerabilities identified are processed in accordance with the latest Information Security Risk Management process including; risk analysis, identifying and applying appropriate controls, recording, reviewing and approval.
• Articulate risk in technical and non-technical terminology so that it can be interpreted by IT and Business individuals alike.
• Carry out PCI impact assessments on projects where appropriate.
• Assess the current technology infrastructure to identify information security and compliance risk areas and recommend controls to address those risks.
• Escalate any issues to the Information Security Project Assurance Lead where appropriate.
• Be a Product Champion for a technology or tool that interests you from a security perspective.
How I will succeed
• Projects/programmes are delivered securely.
• Projects are compliant with the relevant standards and regulations.
• Vulnerabilities are remediated and any residual risk is managed appropriately.
• Customer and Colleague feedback.
• Recognised as an Information Security SME.
• Continuous personal development.
• Fulfilling personal objectives.
What I need to know
• An Information Security qualification e.g. CISSP or CISM; CISA or CEH or equivalent desirable but not essential.
• Computer Science degree and/or MSC in Information Security desirable but not essential.
• Working knowledge of different delivery methodologies including Waterfall, Agile and Hybrid.
• Experience of risk management.
• Knowledge and skills to manage Penetration Testing processes and remediation.
• Has a broad knowledge and understanding of IT concepts and architectures including Cloud, BYOD, Mobile Device Management etc.
• Proactively takes responsibility, owns any issues arising and follows through to resolve them, recognising how individual responsibility impacts team delivery and inspires others to do the same.
• Knowledge of OWASP vulnerabilities, tools and methodologies.
• Knowledge of HTTP, SSDLC and Security Testing.
• Some knowledge of PCI, DPA and ISO27001.
What I need to show
• Ability to work with supervision and ensure projects deliver securely.
• Ability to provide IT/IS Security assurance on projects with a view to taking on complex projects after gaining the requisite experience.
• Demonstrates knowledge of good security practice ensuring that all aspects of Confidentiality, Integrity and Availability are adhered to.
• Knowledge of methods and techniques for risk management.
• Experience of reviewing system design documentation; including Detailed Infrastructure Designs, Service Acceptance Criteria, Non-Functional Requirements etc.
• Ability to think methodically and logically and have well-honed communication skills.
• Works collaboratively with a range of people to support the Information Security and wider Business Strategies.
Resources available to me
• Senior Information Security Analysts
• Wider team of colleagues assigned to information security management structured into four functional areas i.e. Standards & Compliance, Project Assurance, Security Testing and Security Operations
• Third Party contractors (as appropriate) to complete penetration testing of systems.
• Security Product Owners, Security Architects, Technical Designers, various Working Groups including Customer, Colleague, Finance etc.
• Industry and national bodies (as appropriate)
What decisions I can make
• Approve the security aspects of solutions and technical designs.
• Set the Non-Functional Requirements for a project.
• Determine appropriate controls to remediate vulnerabilities.
• Select the Gross and Net risk scores as part of the risk management process.
• Significant freedom to contribute to team processes.