Senior Information Security Analyst

About the job

The Red Hat Information Security Governance, Risk and Compliance team is looking for an Information Security practitioner to join our team.  The majority of your role would include ensuring that highly technical security controls and administrative controls are adequately addressed in all aspects of enterprise architecture.  As you grow and feel more comfortable in the position, opportunities for automation of controls and major improvements to our Enterprise Security Standard will become a large part of the position.  A technical background and a true passion for all facets of Information Security will ensure success in this position.  

What you will do

• Ensure systems and architectures are compliant with the company’s Information Security Operating Guidelines and Enterprise Security Standard. Perform security reviews, identify gaps in security architecture, and develop remediation plans.
• Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment. Determine the security controls- that are required for information systems and networks to operate securely.
• Evaluate security architectures and designs for Software as a Service (SaaS) to determine the adequacy of security design and architecture proposed or provided in response to procurement requirements. Provide input on security requirements to be included in statements of work and other appropriate procurement documents.
• Develop and maintain relevant security policies, standards, and guidelines to address evolving security threats, best practices, and business needs.
• Develop and maintain positive working partnerships with stakeholders to maximize security outcomes while meeting business needs.

What you will bring

• Ability to work as part of a globally distributed team using multiple communication methods to facilitate collaboration (e.g., chat, voice, video, email).
• Excellent verbal and written communication skills to convey information effectively and professionally to a wide variety of technical and non-technical audiences.
• Knowledge of concepts of computer networking, Linux and other operating systems
• Basic knowledge of Kubernetes or other container management systems, 
• Knowledge of public cloud providers such as AWS, Azure, and GCP, and their corresponding security concepts and methodologies.
• Basic knowledge of industry-standard and organizationally accepted analysis frameworks and certifications such as NIST CSF, CIS, ISO 27001, SOC 2, PCI-DSS.
• Knowledge of information security defense and vulnerability assessment tools and their capabilities, including IDS, IPS, SIEM, EPS, and vulnerability management.
• Knowledge of cryptography and cryptographic key management concepts.
• Knowledge of network access, identity, and access management such as public key infrastructure, Oauth, OpenID, SAML, and SPML.

Preferred, but not required skills:

• Industry certifications such as Linux+, CISSP, CISA, or Security+ would be highly regarded.
• Familiarity with ServiceNow’s Policy & Compliance module, Vendor Risk Module and Vulnerability Response Module.
• Knowledge of risk management processes, including methods for assessing and mitigating inherent and residual risk using STRIDE or similar methodologies.
• Knowledge of privacy principles, laws, and regulations such as GDPR and CCPA.

#LI-MP1