Description
Develops and executes programs and processes to reduce information security risk and strengthen Oracle’s security posture.
Supports the strengthening of Oracle’s security posture, focusing on one or more of the following: risk management; regulatory compliance; threat and vulnerability management; incident management and response; security policy development and enforcement; privacy; information security education, training and awareness (ISETA); digital forensics and similar focus areas.
Risk Management: Assesses the information security risk associated with existing and proposed business operational programs, systems, applications, practices and procedures in complex, business-critical environments. May conduct and document complex information security risk assessments. May assist in the creation and implementation of security solutions and programs.
Regulatory Compliance: assists in programs to establish, document and track compliance to industry and government standards and regulations, e.g. ISO-27001, PCI-DSS, HIPAA, FedRAMP, GDPR, etc. Researches and interprets current and pending governmental laws and regulations, industry standards and customer and vendor contracts to communicate compliance requirements to the business.
Threat and Vulnerability Management: May research, evaluate, track, and manage information security threats and vulnerabilities in situations where analysis of well-understood information is required.
Incident Management and response: Responds to security events, identifying possible intrusions and responding in line with Oracle incident response playbooks.
Digital Forensics: May conduct data collection, preservation and forensic analysis of digital media independently, where a basic understanding of forensic techniques is required.
Other areas of focus may include duties managing Information Security Education, Training and Awareness programs. In a Corporate Security role, may manage the creation, review and approval of corporate information security policies.
Compiles information and reports for management.
Minimum of 5 years experience in information systems, business operations, or related fields, at least 2 years of which must be from at least one of the following: Information security risk management; information security program management; Industry/Government security compliance program management (ISO-27001, GDPR, HIPAA, FedRamp, etc.); threat and vulnerability management; incident management and response; security policy development and enforcement; privacy, information security education, training and awareness (ISETA), information security solutions development, etc. required.
Preferred but not required qualifications include: Bachelor-level university degree in a relevant field from an accredited university, or equivalent. CISSP, CISM, CISA , CIPP or other equivalent certification. Experience managing security incidents and vulnerabilities through their life cycle. Experience designing and developing automated process for responding to possible network intrusions. Knowledge of secure software design principles and the software development life cycle. Experience with at least 1 automation language or framework (Python, Ruby, SALT, Terraform, etc.) or vulnerability scanning tool (Qualys, Burp Suite, etc.).
ResponsibilitiesQualifications:
- Bachelor’s Degree in Computer Engineering or Science, Information Technology or a related field
- Minimum of five (5) years of experience in IT, information security, cyber risk management, compliance or a related field required; of which at least 3 years’ experience with Qualys vulnerability scanning and reporting
- Knowledgeable and deep understanding of vulnerability and risk management
- Familiar with attack and exploitation techniques involving operating systems, applications, and devices
- Ability to articulate raw vulnerability and audit data into executive reports
- Excellent analytical, time management, organizational, and problem-solving abilities
- Ability to remain flexible and maintain quality standard in a fast changing, demanding environment
- Knowledge of industry and regulatory requirements (PCI, ISO, etc.)
- Experience with tools like Tanium, Splunk, Elasticsearch, JIRA, Confluence is a plus
- Recognized industry certification and/or continuing education programs are a major plus
Job Description:
As part of Oracle+NetSuite’s Security Team, the Senior Security Analyst will assist with day-to-day operations related to vulnerability and threat risk management: identification, remediation, mitigation, and reporting.
Detailed Description and Job Requirements
- Perform enterprise vulnerability scanning, secure configuration baseline verification, tool validation, data and user administration activities
- Collaborate with service providers (e.g. Qualys) to report and address bugs and feature requests
- Support the implementation, operation and maintenance of vulnerability management projects
- Research and investigate new and emerging threats and vulnerabilities
- Detect and oversee remediation of security vulnerabilities to minimize risks to operating environments
- Proactively collaborate and communicate within the Cloud Operations and development teams to address and mitigate vulnerabilities actively leveraged by malicious actors
- Provide key stakeholders with regular updates on the progress, key blockers, dependencies, target dates
- Act as a subject matter expert for Qualys vulnerability scanning
- Seek opportunities for additional responsibilities and growth within organization. Show initiative and enthusiasm in suggesting and implementing new concepts and/or ideas for improvement
- Be flexible working with overseas teams during off-hours