Preferred Qualifications
Experience with service-oriented architectures and web services security.
At least 5 years IS experience in three (3) or more of the following areas: Internet security, application security, security design and implementation, IS/IT auditing, IS/IT policy development, risk assessments, federal regulatory compliance for information protection
Have experience in generating automated metrics to measure IT security effectiveness and consistency.
Expert knowledge of 1 or more of the following compliance standards and frameworks: ISO, COBIT, NIST, GLBA Act, SOX, PCI, ISO17999 & ISO27001
Expert knowledge of regulatory compliance initiatives related to Sarbanes Oxley
Expertise in OWASP tools WebGoat, DAMN Vulerable scanners and other open sources tools
Expertise in Security Framework tools (Metasploit, Kali Linux Tools, etc)
Excellent leadership, teamwork and collaboration skills.
Related compliance experience: ISO 27001, COBIT, NIST desirable
Certifications: Ethical hacking, CISA, CSAM, CISM CGEIT, CRISC or related certifications a plus
Basic Qualifications
8 - 10 years of information security, risk management or related experience.
Skilled in risk management, business risk analysis and making complex business/risk trade-off recommendations and decisions.
Experience in design and delivery of enterprise-level risk programs.
Technical knowledge in at least one security domain such as engineering, system and network security, authentication or security protocols.
Good understanding of life cycle of Attack Techniques.
Responsibilities:
Collaborate with teams and processes to establish rules to protect data moving across the enterprise.
Provide coaching and development for various levels of team members.
Ensure Information Security Compliance to governmental and industry standards and processes.
Establish credibility and maintain strong working relationships with groups involved with information security matters (Legal, Business Development, Internal Audit, Fraud, Physical Security, Developer Community, Networking, Systems, etc.).
Be responsible for building information security as a core competency throughout our relationships with our internal teams/partners/vendor; this includes designing the right level of data movements, and providing education and training to the organization.
Integrate information security into organizational IT processes and business development.
Responsible to provide support for various time sensitive security projects.
Establish metrics and regular reporting mechanisms for measuring security risk, compliance and security posture of teams across Amazon.
Work proactively with business teams to ensure compliance objectives are met.
Be responsible for continual process improvement and innovation in assessment process.
Evaluate complex business and technical requirements, and communicate inherent security risks and solutions to technical and non-technical business owners.
Deliver findings, recommendations and remediation steps for all activities
Identify and institutionalize the tools across SDLC
Controls and Compliance
Work with Domain Leaders, technology Governance teams, Internal Audit and External Auditors on IS control descriptions and changes
Facilitate and support quarterly IS validation testing of IS Sarbanes Oxley (404) controls.
Test controls identified on risk assessments but not tested by other internal parties.
Work with control owners to ensure control accuracy and re mediate any issues related to control exceptions.
Communicate identified control deficiencies to management effectively, both orally and in writing.
Evaluate the design and operational effectiveness of IS policies, standard, and procedures.
Re-engineer IS control environment to comply with updated policies and standards.
Perform IS process monitoring (e.g. access control, daily check lists)
Interface between Domain Leaders, Technology Governance teams and Internal/External Audit and regulatory personnel in coordinating the gathering of artifact requests from internal and external auditors to support the respective IS related audits
Manage and track outstanding IS remediation items in the Enterprise Risk Management system to ensure timely completion.
Perform IS Governance and Risk Assessment activities as required by management.
Perform additional duties, as assigned.
Risk Assessment
Conducts IS risk assessments to ensure compliance with corporate security policies, regulatory requirements and adherence to best practices.
Assist in conducting security risk assessments for new and existing systems, applications and programs to identify weaknesses or security exposures and prescribe solutions to mitigate the risks related to those weaknesses and exposures.
Perform reviews and security assessments of areas such as operating systems, database management systems, firewalls, intrusion detection systems, and web based applications
Responsible for IS risk management activities, including providing guidance for projects
Participate in key initiatives providing subject matter expertise on IS risk and compliance.
Coordinate controlled testing of controls identified on risk assessments but not tested by other internal parties with IS Controls & Compliance personnel.
Assist with developing internal IS risk management reports for senior leadership.
Perform IS Governance and Control & Compliance activities as required by management.
Perform additional duties, as assigned.
Didn’t find the job appropriate? Report this Job