In a nutshell
As part of the Information Security & Compliance Team; the analyst is responsible for Security Testing, including working with BAU Teams, Programme/Project teams, Agile delivery teams, Developers, Infrastructure Engineers and DevOps teams to ensure that IT projects are delivered securely, protecting client and employee data and ensuring continual compliance with Information Security policies and standards. Co-ordinate Penetration Testing and other Security Testing in support of In-House Development utilising Waterfall and Agile delivery methodologies; manage remediation of identified vulnerabilities and participate in the full risk management lifecycle.
What I need to do
- As an Information Security Analyst in the Security Testing Team, deliver IT Security Testing Services under the supervision of Senior Analysts/Information Security Testing Team Lead i.e.
o Manage internal security assurance for internally developed applications within a DevOps environment.
o Scope penetration testing for both internal and external facing applications with external testing providers.
o Manage external resources to ensure that penetration testing is carried out to a suitable standard on time and within budget.
o Manage the internal vulnerability scanning programme to ensure that scans are planned and carried out in a timely manner.
o Responsible for ensuring that vulnerabilities identified via internal scanning programme or external penetration testing are suitably mitigated and any residual risks are documented and formally accepted.
o Conduct Information Security Risk Assessments using the Information Security Risk Management Process.
o Ensures the benefits of Information security and concept of risks is understood by all colleagues
o Pro-actively manages security risk assessments and mitigation plans to address risks within agreed timescales, evaluating business impact
o Provides advice and guidance associated with the planning, design, implementation and improvement of system security taking account of current best practice, legislation and regulation
- Ensures all projects consider the security implications throughout the project lifecycles
o Security risks are identified early on and catered for in the solution design and that the resulting implementation addresses these risks
o Authorises implementation of procedures to satisfy new access requirements, or provide effective interfaces between users and service providers
o Works with Sainsbury’s Legal team to ensure Data protection regulation is supported by all IT systems and processes
- Reports effectiveness of information security against industry standards and agreed KPI’s, along with Security Incident Response Plans.
- Liaises with industry and national bodies (including regulators and auditors) to ensure the appropriateness of the information security function, e.g. PCI compliance
How I will succeed
- Projects/programmes are delivered securely.
- Projects are compliant with the relevant standards and regulations.
- Vulnerabilities are remediated and any residual risk is managed appropriately.
- Customer and Colleague feedback.
- Recognised as an Information Security SME.
- Continuous personal development.
- Fulfilling personal objectives.
What I need to know
- Knowledge of OWASP vulnerabilities, tools and methodologies
- Knowledge of HTTP, PCI ASV and SSDLC
- Demonstrates knowledge of good security practice covering the physical and logical aspects of information products, systems integrity and confidentiality
- Some knowledge of methods and techniques for risk management, business impact analysis, countermeasures and contingency arrangements relating to the serious disruption of IT services
- Expert in tools or systems which provides access security control (i.e. prevents unauthorised system access)
- Awareness of PCI, DPA and ISO27001.
What I need to show
- One of the following information security testing certifications OSCP, GIAC, CEH, Qualys Certified Specialist desirable but not essential.
- Current Information Security qualifications/certifications e.g. CISSP, CISM, CRISC desirable but not essential.
- Experience using web application vulnerability scanning tools (e.g., Qualys WAS, IBM AppScan, HP Web inspect etc)
- Experience of using (SAST) Static Application security testing /Source Code Analysis tools such (e.g. HP Fortify, Veracode, Checkmarx)
- Ability to think methodically and logically situations, problem solve and communicate well using spoken and written word
- Has awareness of problem solving procedures used for business-critical IT incidents, and a good awareness of their implications for a retail business
- Remains visible to customers as the face of IT to listen to their concerns and share these with others
- Ability to take responsibility, own the issue, resolve it (get the required result) and recognises how individual responsibility impacts team delivery
- Works collaboratively with a range of people to support the Information Security and wider Business Strategies.
- Ability translate complex/technical issues clearly to meet the needs of the audience
Resources available to me
- Senior Information Security Analysts
- Wider team of colleagues assigned to information security management structured into four functional areas i.e. Standards & Compliance, Project Assurance, Security Testing and Security Operations
- Third Party contractors (as appropriate) to complete penetration testing of systems.
- Security Product Owners, Security Architects, various Working Groups including Customer, Colleague, Finance etc.
- Industry and national bodies (as appropriate)
What decisions I can make
- Determine appropriate controls to remediate vulnerabilities.
- Select the Gross and Net risk scores as part of the risk management process.
- Significant freedom to contribute to team processes.