Information Security Engineer

Description

A leading Bay Are Health Insurance Provicer has an immediate opening for a Senior Application Security Architect in our Enterprise Architecture organization. The Application Security Architect is responsible for helping to establish the strategy, vision, and roadmap for the Healthcare IT (HIT) application security methodology and capabilities inclusive of technology, procedures and people.

The Senior Application Security Architect will be the dedicated security subject matter expert for our HIT team providing security consulting support regarding the development or acquisition of applications, databases and systems solutions that are responsive to business needs, addresses technical requirements and are aligned with company security strategies, policies and standards.

The ideal candidate will be a key member of the IT Enterprise Architecture organization responsible for applying architecture standards and principles to all aspects of the organization. The candidate will be expected to be pragmatic, well organized, and results oriented in every aspect of your work. We are looking for self-starters who are comfortable making good decisions and formulating creative solutions to business and operational problems as well as overall risk identification and mitigations.

Specific Enterprise Architecture responsibilities include, but not limited to the following:

• Provide leadership, mentorship and advisory services to HIT, business and project teams to ensure that solutions are in line with the architecture direction and business strategies
• Highly collaborativework across the company to drive adoption of technical standards, design principles and architecture patterns in support of HIT strategic and tactical objectives
• Provide technical guidance and mentoring to engineers, designers and developers
• Develop Architecture documents, standards and pattern artifacts from templates working with extended HIT and IT teams, as required
• Identify architectural risks and plans to mitigate risks, ensure adherence to standards and best practices
• Influences and communicates effectively with non-technical audiences, as required
• Maintain a broad knowledge of emerging and new technology tools and HIT trends, and apply that knowledge to architecture designs
• Wide knowledge of IT architecture standards and patterns, a passion for advocating their correct usage and excellent communication skills (written and verbal)
• Demonstrate strong problem solving ability and analytical skills
• Participate in assessing and driving future state architecture requirements based on HIT technology objectives
• Provide assessment of current state architecture and recommendation of future state architecture
• Define and document guidelines and standards for designing and developing target state capabilities
• Key member of the Enterprise Architecture Review Board (EARB) for architecture governance
  
  Specific Application Security Architecture responsibilities include, but not limited to the following:
• Provides oversight and enablement of secure coding practices throughout SDLC, conducting application security design/code reviews and proactively working to reduce risk through improving the security of deployed HIT applications and services
• Guides the security of applications by consulting to DevOps and QA teams in the development of threat models, understanding risks, identifying required control points and diagnosing, documenting and remediating application security vulnerabilities
• Conducts application security & vendor (ASP, SaaS) assessments as required
• Ensures compliance with regulatory and industry standards for application security (OWASP)
• Continuously evaluates the organization's existing application security practices, defines and measures security related activities and demonstrates concrete improvements to the application security program and capabilities
• Represents security interests to HIT project teams by ensuring security standards and requirements are defined as part of the deliverables. Provides input on secure application design and coding techniques
• Evaluates new products, methods, and technologies to protect against existing and emerging security threats
• Provides project consulting, evaluating proposed solutions including vendor products for IT security risks and working to define and push for standards, identify gaps and apply compensating controls as deemed necessary
• Participates in the development of IT Security strategies, policies and standards required to support HIT solutions and services
• Collaborates with business and project teams to ensure third party applications and services comply with our policies and principles
• Monitors the external security threat landscape and recommends proactive actions to reduce risk to the enterprise
• Ensures appropriate access, authentication and authorization controls are incorporated in architectural and solution designs
• Participates in driving internal certification initiatives over products based on security best practices.
• Participates in driving encryption strategy and standards plus evaluates encryption solutions

Job Required Education/Experience

• 10-15 years of related IT security, Application and Security Architecture experience.
• Demonstrated ability to perform a risk-based approach to securing applications, databases or infrastructure based upon IT and business needs
• Experience in designing, architecting, and implementing complex enterprise applications, infrastructures, platforms and systems
• An in-depth understanding of software development methodologies and the security controls needed to support Secure SDLC principles
• Excellent written and verbal communication skills with strong relationship building skills
• Persuasive in influencing strategic architecture direction, framing reference architectures, specifying policies and standards, drive consensus on target state architectures, and influence roadmaps
• Skilled in applying strategic architecture direction to project delivery using standard engagement methods
• Understanding of development methodologies such as Waterfall, Scrum, Agile and JAD and coding security best practices
• Experience with Java/JEE, .NET and databases such as Oracle and SQL
• Strong working knowledge of industry-standard enterprise architecture models (e.g. TOGAF) and approaches
• In-depth experience protecting against web and web services security vulnerabilities including the OWASP Top Ten and the SANS Top Twenty Five software errors
• Knowledge of HIPAA, HITECH, PCI-DSS, ISO 2700X and proper application of the Security and Privacy Rules. Preferred knowledge of the HITRUST Common Security Framework and NIST 800-53
• Current experience in testing web applications utilizing static and scanning technologies such as AppScan, Fortify and Veracode with demonstrated ability to validate scanning data for false positives and negatives
• Experience with internal audit techniques and implementing appropriate technical controls.
• Strong business acumen and a commitment to integrity, process improvement and customer satisfaction
• Broad understanding of distributed, highly-available computing environments, and proactively addressing threats and vulnerabilities at all layers
• Knowledge and experiences with other security layers, capabilities, and technologies
• Experience with TCP/IP and related protocols
• Practical knowledge relative to the implementation, use and risk mitigation/management concerns for cloud-based services.
• Experience with Amazon AWS preferred
• Knowledge and experience with securing virtualized platforms

Job Additional Education/Experience

• Knowledge of healthcare industry and industry related technology would be a strong plus
• Bachelor's degree in Computer Science, Engineering or related field or equivalent work experience
• Ability to rise above the security related FUD and focus on specific work priorities and execution with positive outcomes
• CISSP, CRISC or other security and/or Enterprise Architecture methodology certifications preferred
  
  This candidate will demonstrate the following behaviors:
• Initiative - shows willingness and aptitude to use own discretion in taking appropriate steps in finding solutions to problems; presents options and ideas to enhance current processes or procedures. Takes on additional responsibility when both big and small tasks need to be done
• Integrity - Firmly adheres to the values and ethics of company. Exhibits honesty, discretion, and sound judgment
• Cooperativeness - Willing to work with others, collaborating and compromising where necessary; promptly share relevant information with others
• Flexibility - Is open to changing situations and opportunities and is willing to perform all tasks assigned
• Independence - Able and willing to perform tasks and duties without supervision
• Resiliency - Maintains a positive "can-do" outlook, rebounds quickly from frustrations, and maintains composure and friendly demeanor while dealing with demanding situations