JOB SUMMARY Under the direction of the Chief Information Security Officer, the Systems and Application Security Analyst (Information Security Analyst 2 or 3) is responsible for the development and operation of UConn?s Application Security (AppSec) and Systems Assessment programs. The analyst develops policy recommendations, standards, risk assessments, scanning and monitoring mechanisms, and technical solutions to address secure code development, application security, and systems security at the university. This role will assess, develop, and maintain control standards designed to improve UConn?s application security posture through periodic assessments and integration of industry best practices. The Systems and Application Security Analyst is responsible for investigating a diverse range of technical issues across multiple platforms, working with a wide range of clients who have minimal to a broad range of technical skills. The Analyst works among a team of skilled technicians to address problems within a complex network environment and develops solutions that fit into that environment. The Systems and Application Security Analyst is responsible for processes and procedures to ensure the continuous improvement of monitoring, detection, and mitigation capabilities specifically around software, systems, and databases. The Analyst plans, organizes and establishes priorities related to an assignment; works independently with minimal outside support; and handles sensitive information in a confidential manner. DUTIES AND RESPONSIBILITIES FOR INFORMATION SECURITY ANALYST 2 - Identify and document security controls during the requirements phase to integrate security within the software and systems development/deployment process.
- Identify security implications and apply methodologies within centralized and decentralized environments across the University?s computer systems.
- Identify security issues in the operations and management of software and incorporate security measures that must be taken over the lifecycle of systems/software, including proactively identifying security considerations of decommissioning end of life systems and software.
- Apply coding and testing standards and employ tools including static-analysis code scanning (SAST) and dynamic analysis security testing (DAST) to information systems and advise on improvements/issues regarding application vulnerabilities.
- Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining specific security criteria.
- Consult with peers across the institution about software system design, maintenance, and risk assessments.
- Plan, implement, upgrade, and monitor security measures for the protection of data and information systems ensuring appropriate security controls are in place.
- Develop secure software testing and validation procedures.
- Perform penetration testing as required for new or updated applications and systems.
- Identify security gaps, perform risk assessments, and recommend solutions to ensure best practices and security measures are being met.
- Monitor security incident and event management (SIEM) and logging environments for security events and alerts for potential (or active) threats, intrusions, and/or compromises.
- Document event analysis and author comprehensive reports of incident investigations.
- Perform risk analysis (threat, vulnerability, and probability of occurrence) related to internal and vendor provided solutions. Perform vendor risk assessments and system security assessments.
- Develops security metrics to proactively monitor cyber threats and provide trend data.
- Assist with triage of service requests from customers and internal teams.
- Integrate data for use between various applications.
- Participate in and/or lead incident response activities, as required, for cyber security incidents.
- Promote security awareness to improve and ensure system security.
- Other related duties as assigned.
ADDITIONAL DUTIES AND RESPONSIBILITIES FOR INFORMATION SECURITY ANALYST 3 ONLY - Serves as domain and subject matter expert in one or more information security domains.
- Design, implement, and maintain new information security solutions.?
- Lead major projects / initiatives related to information security and/or cybersecurity.?
- Integrate data for use between various applications and systems.
- Identify enterprise level security gaps, perform risk assessments, and recommend solutions to ensure best practices and security measures are being met across and between enterprise level systems.
- Create custom code, api/rest integrations, or other maintainable integrations to facilitate data gathering / sharing across applications and platforms.
- Ability to operate autonomously and with limited supervision.?
MINIMUM QUALIFICATIONS FOR INFORMATION SECURITY ANALYST 2 AND 3 Note: Applicants must meet all minimum requirements of a specific level to be considered for the position. - Must be a US Citizen.
- Associates degree and four (4) years of related experience, OR Bachelor?s degree and two (2) years of related experience, OR Six (6) years of related experience.
- One (1) to three (3) years of experience working in an information security role or supporting an information security program.
- Experience overseeing or materially contributing to projects designed to improve institutional security maturity, adherence to security policies, and/or regulatory compliance.
- Significant experience administering an information security tool / platform, interpreting the systems output, and assisting others to leverage the capabilities of that platform.
- Experience using a SAST, DAST and/or IAST application vulnerability platform (Invicti Netsparker, Acunetix, Burp Suite Enterprise, HCL AppScan, or similar).
- Experience with web server configuration, SSL/TLS, certificate management and web application stack dependencies. Ability to troubleshoot and identify security related misconfigurations.
- Experience developing and debugging code in at least one programming language. Knowledge and experience with secure coding practices.
- Knowledge of current security regulatory requirements (HIPAA, CMMC 2.0, NIST 800-171, PCI-DSS, or similar).
- Experience applying knowledge of application security risks (OWASP Top 10, MITRE, or similar).
- Experience and competency in threat management and protection protocols.
- Experience using common enterprise security tools and controls (e.g., Firewalls, IPS/IDS/NDR, Network Segmentation, Vulnerability Scanners, EDR, SIEM/SIM, IAM, MFA, and/or similar).
- Experience weighing business needs against security concerns and making actionable recommendations.
- Excellent communication skills and attention to detail.
- Ability to operate under pressure and manage multiple priorities/deadlines.
ADDITIONAL MINIMUM QUALIFICATIONS FOR INFORMATION SECURITY ANALYST 3 ONLY - Associate?s degree and six (6) years of related experience, OR Bachelor?s degree and four (4) years of related experience, OR Eight (8) years of related experience.
- More than (3) years of experience working in an information security role actively supporting secure software development.
- Experience developing and debugging code in more than one programming language. Knowledge and experience with secure coding practices.
- Experience leading complex projects involving multiple information security domains.
- Senior level practical and technical information security experience.
PREFERRED QUALIFICATIONS FOR INFORMATION SECURITY ANALYST 2 AND 3 - Relevant information security certification(s) in one or more applicable information security domains (CSSLP, GPEN, GWAPT, or similar).
- Experience developing software in an enterprise environment.
- Experience developing or implementing a secure software development lifecycle (SSDLC).
- Experience developing and operationalizing an application security program in a complex enterprise environment.
- Experience administering a SAST, DAST and/or IAST application vulnerability platform at an enterprise level (Invicti Netsparker, Acunetix, Burp Suite Enterprise, HCL AppScan, or similar).
- Experience conducting penetration tests in the application security domain.
- Experience in higher education.
- Enterprise scale project management experience.
ADDITIONAL PREFERRED QUALIFICATIONS FOR INFORMATION SECURITY ANALYST 3 ONLY - Master?s degree in information security, computer science, information management or a related discipline.
- Experience leading software development in an enterprise environment.
- CISSP certification or equivalent.
APPOINTMENT TERMS This is a full-time, permanent position with opportunity for hybrid schedule. The University offers a competitive salary, and outstanding benefits, including employee and dependent tuition waivers at UConn, and a highly desirable work environment. For additional information regarding benefits visit: https://hr.uconn.edu/benefits-beyond-pay/. Other rights, terms, and conditions of employment are contained in the collective bargaining agreement between the University of Connecticut and the University of Connecticut Professional Employees Association (UCPEA). TERMS AND CONDITIONS OF EMPLOYMENT Employment of the successful candidate is contingent upon the successful completion of a pre-employment criminal background check. TO APPLY Please apply online at https://hr.uconn.edu/jobs, Staff Positions, Search #498630 to upload a resume, cover letter, and contact information for three (3) professional references. This job posting is scheduled to be removed at 11:55 p.m. Eastern time on September 13, 2024. All employees are subject to adherence to the State Code of Ethics which may be found at http://www.ct.gov/ethics/site/default.asp. All members of the University of Connecticut are expected to exhibit appreciation of, and contribute to, an inclusive, respectful, and diverse environment for the University community. The University of Connecticut aspires to create a community built on collaboration and belonging and has actively sought to create an inclusive culture within the workforce. The success of the University is dependent on the willingness of our diverse employee and student populations to share their rich perspectives and backgrounds in a respectful manner. This makes it essential for each member of our community to feel secure and welcomed and to thoroughly understand and believe that their ideas are respected by all. We strongly respect each individual employee?s unique experiences and perspectives and encourage all members of the community to do the same. All applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. The University of Connecticut is an AA/EEO Employer. |