Title: Security and Privacy Professional
Reports to: CIO
This position resides within the Digital Services group of CLIENT. The Security and Privacy Professional, in close partnership with the CIO and CISO, oversees and coordinates day-to-day activity related to information security and privacy oriented initiatives, policies, standards and procedures throughout the organization. The Security and Privacy Professional is responsible for planning, influencing, and coordinating the company's information security policies, setting procedures and guidelines to ensure that all information systems are functional, secure and safeguarded throughout the company and are in compliance with privacy and information security laws and regulations applicable to retail institutions. Additionally, the Security and Privacy Professional is responsible for providing leadership during security events, as well as ensuring the technical and administrative support for the development of Disaster Recovery and Business Continuity programs for the company. The incumbent interfaces with theInformation and Digital
Services Core IT Operations team on matters of security and privacy operational controls. In addition, the incumbent acts as an internal consultant and to the organization on issues involving security and privacy.
- Work to determine acceptable risk levels for the enterprise and ensure that the IT environments are adequately protected from potential risks and threats
Participate in development and implementation of the appropriate and effective controls to mitigate identified threats and risks
Assist in tactical follow-up on detected security issues and drive the design and implementation of solutions to reduce security risks
Drive the research, development, and communication around Security and Privacy matters, by maintaining and working with the operational units on the enforcement ofIT security architecture, policies, procedures, solutions and standards
Participate in and provide specific IT security oriented leadership during incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary
Keep abreast and advise the company with regard to the latest industry security and privacy best-practices and technologies
Coordinate with Business Owners to analyze, document and define requirements associated with new development or maintenance and enhancements to existing security roles and permissions.
Deliver services that meet regulatory specifications. Work with internal and external auditors to document and confirm that all security administrative duties are properly performed as well as demonstrate overall compliance .
A minimum of 5 years operational and strategic experience in IT controls and information security, IT compliance, networking security or IT audit is required.
Artifact management experience including the development and maintenance of Policies, Standards, and other supporting documentation. Ability to document and maintain the details of IT remediation projects, committee meetings, and the findings of security testing and assessment projects.
Operational experience with IT compliance requirements and processes, especially PCI DSS and adjacent PCI industry controls, mitigations, and incident responses.
Operational experience in the inventory and classification of IT assets, and the update and maintenance thereof
Access control and identity management experience, including the principles and management of access to network infrastructure, server platforms, Active Directory domains, and databases. Ability to provide subject matter expertise in the areas of configuration management and maintenance of access control and assessment of access for these systems. Knowledge of RADIUS, LDAP, and Cloud SSO solutions is a plus
Skilled in the principles and management of key management and encryption systems, for information in transit and at rest. Extensive knowledge of both symmetric and asymmetric cryptographic systems
Demonstrate extensive experience with vulnerability management
4-year college degree or demonstrated equivalent experience with appropriate time-in-role, with subject matter majors in Computer Science, Information Management, Information Security or equivalent disciplines
A SANS, CISSP or other equivalent industry-recognized Security certification is required.
Additional certifications in IT audit or IT controls design and management are preferred
CObIT and/orITIL certifications, education, or equivalent experience with control and operational frameworks a strong plus
Information security assessment and auditing procedures, from both technical and business perspectives, and the use of formal methodologies such as NSAIAM
- Vulnerability sanning and auditing tools
Enterprise-scale network and host-basedIDS architectures Enterprise-scale firewall architectures
E-commerce application security
Computer investigation and forensics methods and technologies Secure messaging architectures
Strong Knowledge of regulatory bodies, and the regulations and guidance issued by these bodies
Strong knowledge of control and privacy laws and standards, such as GLBA, 581386, SOX and PCI
Must possess strong project management and leadership aptitude; demonstrated professionalism in managing multiple projects and resources effectively.
General Knowledge and Abilities
Experience with PKI certificate management and root certificate repositories Working experience with penetration testing
- Experience working in a SaaS oriented Cloudenvironment Project Management experience
Strong communication and facilitation skills
Office based professional, no physical requirements