Senior Information Security Engineer

Vaco offers consulting, contract, and direct hire solutions in the areas of accounting, finance, technology, healthcare, operations, and general administration.  Vaco’s Director, Head of Security, Compliance, & Risk, to which this position reports, supports systems, infrastructure, and projects for Vaco offices providing world class service to our customers.  This is a fast-paced environment.   Candidates should thrive in an environment with high volumes of work, managing multiple projects/assignments at a time, and working in a highly collaborative atmosphere. 

Description: The Senior Information Security Engineer/ Data Protection Official (Sr. InfoSec Eng./DPO) is responsible for providing overall data protection and security engineering expertise in the areas of compliance management, monitoring and analysis, security vulnerability management, penetration testing and risk mitigation; project management for key initiatives to implement appropriate processes related to security, compliance, & risk, management, planning and system controls.  This role will lead our compliance with Data Protection/Privacy regulations globally and serve as the designated DPO in all jurisdictions, as required. They will communicate effectively with members from all levels of the company to educate, guide, and inform of our obligations to protect customer information. This person will also engage in any "event" where privacy may have been violated and take an active role to ensure that our disclosure and reporting requirements are fulfilled. This position will work within the legal department and report to the Director, Head of the Security, Compliance, & Risk (SCR) function.  This is a highly visible position in a fast-paced environment. The position will collaborate with Business Stakeholders, Business Leaders, Business Analysts, and Subject Matter Experts both internally and externally to plan and deliver projects effectively and timely.

Duties and Responsibilities:

The following duties are normal for this job.  These are not to be construed as exclusive or all-inclusive.  Other duties may be required and assigned.

• Review data protection approaches and methodologies ensuring all data protection practices are in compliance with applicable mandates.
• Participate and contribute data protection compliance aspects to all Vaco policies and procedures as applicable.
• Review all Vaco agreements ensuring appropriate data protection and privacy is addressed as applicable.
• Manage application security penetration testing to ensure Vaco services, applications and websites are designed and implemented to the highest security and compliance standards and in accordance with Vaco’s risk appetite.
• Provide leadership on data protection, privacy, and information security risk mitigation.
• Coordinate vulnerability remediation activities and work with the IT operations function to mature the patch management lifecycle based on vulnerability management SLAs created by the Security, Compliance & Risk function.
• Create hardening standards for all IT platform technologies.
• Establish, manage, and maintain a secure web/applications program that will include identification of appropriate security reviews at key project milestones, manage training requirements for developers on secure coding/development practices and their management of tools and services that will enable validation of controls during the design and build phase.
• Facilitate corporate wide and focused information security awareness training.
• Maintain web application, source code and penetration assessment tools.
• Deploy and maintain risk management framework and processes.
• Develop and maintain vendor risk management processes.
• Develop, implement, and maintain a data privacy program in accordance with GDPR and other relevant international data protection regulations as well as national & local mandates.
• Ensure proper registration with data privacy authorities for all Vaco subsidiaries globally.

• Inform, advise, and issue recommendations to the company regarding data privacy and protection compliance.
• Actively collaborate and coordinate with all stakeholders in the event of a data breach or other incident.
• Foster a data protection culture within the company and help to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.
• Conduct data protection impact assessments (DPIAs).
• Draft policies and standard operating procedures related to privacy and data storage.
• Serve as the point of contact between Vaco and all data protection authorities.
• Provide regular data protection-related training of regulations and company procedure updates to staff.
• Monitor performance and providing advice and reports on the impact of data protection efforts to stakeholders at all levels, including executives.
• Maintain comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which may be made public on request.
• Interact and communicate effectively with data subjects to inform them of how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.
• Staying current of events and developments in the InfoSec and Privacy sector
• Perform project risk assessments.
• Perform other duties as required.

Desired Competencies and Skills:

• 5 years of experience in Information Security
• 3 years of Information Risk assessment experience
• Familiarity with privacy and security risk assessment and best practices, privacy certifications/seals, and information security standards certifications
• Sound understanding of and familiarity with information technology programming and infrastructure, and information security practices and audits.
• Adequate self-awareness and confidence to acknowledge knowledge gaps and seek to fill them from reliable sources.
• Sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the employer.
• Minimum 5 years of experience working with the following technologies required: Active Directory; IPSEC & SSL VPN technology; Firewalls (Check Point, Cisco); anti-virus technologies; Enterprise Encryption Solutions.
• Experience and knowledge of the following technologies preferred: MS Azure Cloud, Meraki networks; MS SQL; Microsoft Office 365; Security Information and Event Management (SIEM), IDS/IPS

• Must possess strong verbal and written communication skills. 
• Knowledge of Information Security standards (ISO, NIST, HITRUST, DFARS)
• Knowledge of vulnerability management solutions (Qualys)
• Must possess strong project management skills.
• Certified Information Privacy Professional (CIPP) credential

Educational Requirements:

• Bachelor’s Degree in Cyber Security, Computer Science, Management Information Systems, Business Administration, or related field required.

• One of the following certifications are required: Certified Information Systems Security Professional (CISSP); Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); GIAC certifications and Certified Ethical Hacker (CEH)

• Any equivalent combination of education, training, and experience which provides the requisite knowledge, skills, and abilities for this job may be considered.  

Travel Requirements:

<10% -Occasional travel to onsite offices or vendor conferences may occur.