Description
Essential duties and responsibilities include but are not limited to the following:Information Technology Governance, Risk Management, and Compliance
Participate in the design and implementation of a new information security control catalog.
-
Lead the joint effort to define and update configuration standards for key technology platforms. -
Design and implement processes and technology solutions to assess, monitor, and enforce compliance with internal and regulatory requirements, such as GxP, SOX, and others. -
Interface with external partners, customers, and other 3rd-parties for matters involving information security and information risk management.
Information Security Engineering & Architecture
-
Define a cohesive information security tools architecture that emphasizes integration, proper implementation and configuration of tools, and balance in-sourcing and outsourcing options. - Define configuration standards and configure information security tools, both in-sourced and outsourced, inclusive of event management and monitoring.
-
Provide information security consulting services to internal users, both within and outside of the IT department.
Information Security Operations
-
Oversee the day to day administration and management of information security tools, both in-sourced and outsourced, as well as third-party/managed security service providers; -
Oversee threat and vulnerability management processes, inclusive of vulnerability scanning, remediation efforts, notifications, etc. -
Review system events and incidents on a daily basis. -
Lead investigation of potential incidents. -
Lead incident response processes as the incident coordinator. -
Serve as the primary point of contact for information security operational matters. -
Provide 3rd level support for information security tools and operational processes.
Compliance
-
Support IT compliance activities for GxP and SOX. -
Produce and gather evidence as required. -
Monitor and enforce compliance with policies and control requirements.
Requirements:
-
8 years experience in Information Security/Risk Management, ideally in a mix of consulting and industry roles a publicly traded company. -
Strong technical knowledge of technology platforms, inclusive of systems, network devices, and security solutions. Hands-on experience with Windows OS, Linux, Cisco iOS/NX-OS, relational databases, and other core enterprise technologies. -
Information Security expertise in application and infrastructure security architecture, design, and engineering using technologies, solutions, or frameworks inclusive of OWASP, SAML, firewalls, SSO, IDM, data encryption & enterprise key management, PKI, IDS/IPS, malware management, web content management, SEM, etc. -
Excellent understanding of software development lifecycle models, as well as the approach and options for implementing a Secure Development Lifecycle (SDL). -
Hands-on experience with industry common information technology control frameworks, particularly HITRUST, NIST 800 series, Cloud Security Alliance, and ISO . -
Working knowledge of leading information risk management framework, inclusive of Octave, NIST RMF, and ISO/IEC 27005. -
Good understanding of key regulatory requirements for public biotechnology/pharma organizations, such as 21 CFR Part 11, SOX, and HIPAA/HITECH. -
Strong quantitative and analytical abilities. -
Excellent writing/documentation skills. -
Fluent with one or more Windows scripting languages (e.g. Powershell, VB, WMI, ADSI). -
Excellent understanding/working knowledge of private and public cloud IaaS solutions. -
Network design and management; hands-on knowledge of OSI Model & TCP/IP stack and Cisco iOS. -
Proven analytical and problem-solving abilities. -
Ability to effectively prioritize and execute tasks in a high-pressure environment. -
Good written, oral, and interpersonal communication skills. -
Ability to present ideas in business-friendly and user-friendly language. -
Highly self-motivated and directed. -
Keen attention to detail. -
Team-oriented and skilled in working within a collaborative environment. -
PC literacy required; MSOffice skills (Outlook, Word, Excel, PowerPoint).
Education:
-
College diploma or university degree in the field of computer science and/or 8 years equivalent work experience. -
One or more of the following certifications: -
CISSP -
GIAC Information Security Professional -
CISM -
CISA
-