Security Penetration Testing/Vulnerability Manager

Education: BE or equivalent experience.

Required Experience:

o 5+ years of experience performing penetration testing.

o 5+ years of experience managing vulnerabilities, using vulnerability scan tools, and coordinating patch management.

o 3+ years of experience using the Nessus vulnerability scanning tool.

o 1+ years of experience using the Nessus (VM) version of their vulnerability scanning tool.

o 10+ years of overall experience in IT Security

o 3+ years of experience reviewing risk assessments, interpreting threat intelligence, and revising overall vulnerability management processes to fix the evolving threat landscape.

o Analytical ability and ability to design, implement, and execute penetration testing efforts.

o Ability to design, implement, and execute vulnerability scans.

o Experience tracking both technology and industry related risks.

o Experience classifying, categorizing, prioritizing risks, and documenting risks within a centralized database for comparative analysis and strategic risk management planning.

o Experience drafting and revising processes and workflows.

o Experience leading teams, distributing workloads, and supervising personnel.

o Experience determining key performance metrics, their measurement, and their reporting.

o Good written and speaking skills in English

o Good listening skills.

o Ability to explain change processes and technical security requirements to non-technical and non-IT security personnel.

o Certified Ethical Hacker (CEH), Certified Vulnerability Assessor (CVA), or similar certifications in penetration testing and/or vulnerability management.

Preferred additional value:

· Other IT Security and network technology certifications.

· Experience with ServiceNow ticketing and alert generation.

· Spanish speaking (written and verbal), other language skills.

Responsibilities include but are not limited to:

· Oversee customer’s vulnerability management program

· Conduct penetration testing of Customer’s software, applications, web applications, and websites. Plans must define the rules of engagement, schedule, locations, and personnel involved.

· Conduct and report on both credentialed and targeted vulnerability scanning to identify software with known vulnerabilities, unpatched database systems, unpatched devices, unsecure remote access mechanisms, poor password policy enforcement, issues with cryptographic controls, and other vulnerabilities across Customer enterprise network (including both traffic and business networks), hardware devices, communications, Software, databases, and applications.

· Conduct and report on continuous vulnerability scanning to detect rogue devices on enterprise and traffic networks (e.g., devices under shadow IT, devices not approved by Customer change management, etc.) and manage automated tools or processes to identify, contain, remove, or block such devices

· Drive implementation of recommendations from audits, penetration tests, and vulnerability scanning and assessments in accordance with a timeline and prioritization approved by Customer, including issuing project requests, determining project requirements and timelines, participating in project meetings, and identifying risks and contingencies

· Review and request implementations of recommendations from audits, penetration tests, and vulnerability scanning and assessments

· Ensure all identified critical and severe vulnerabilities in the Customer environment are mitigated or remediated successfully

· At Customer’s request, proactively identify, quantify, and categorize risks and vulnerabilities outside of formal vulnerability and penetration assessments and take measures to mitigate security risks and vulnerabilities, including the creation of a known errors database and other measures requested by Customer

· Develop processes and procedures to systematically and/or automatically detect, identify, contain, respond, remediate, report and perform after action reviews and Root Cause Analysis regarding identified vulnerabilities, risks, and threats

· Conduct risk assessments for each program, project, and implementation of Customer enterprise changes in a live environment

· Maintain, manage, and perform a bi-weekly review of ISO’s risk register including cross-referencing the list to security controls, identified projects, recommended projects and/or actions to reduce risk in the environment

· Monitor key vendors for critical software, firmware, and configuration updates