Bloomfield, Pittsburgh, PA, USA
icrunchdata Network
Nesco Resource is currently looking for a Digital Health Cyber Security Enginger for a client in the downtown Pittsburgh area. The description for the position is listed below: Role Overview: This role could convert to an FTE next year- Degree required unless experience gained in the Miltary S/he will collaborate with different internal stakeholders to design, engineer, and implement the governance and controls needed to incorporate security through the entire lifecycle of a product (Development, Pre-Market, Post-Market and Retirement). Controls will range from processes driven (ex. Policies, Standards, Risk Assessments) to technical controls (ex. Code Analysis, Penetration Testing, Endpoint Protections) to incident response (Detect, Respond, Recover). Responsibilities: (50%) Technical Cyber Security Engineering – Lead the Architecting, Designing, and Implementation of managed and repeatable product cyber security controls in support of multiple Smith Nephew Digital Health products and cloud infrastructures. This includes but is not limited toArchitecture Documentation and Reviews, Patching process, Encryption Standards, Shared Platforms, Connection Standards (10%) Secure-Software Development Life Cycle – Help develop cyber security strategy and Secure-Software Development Life Cycle (S-SDLC) to ensure robust cyber security controls are present and effective in our products from product conceptualization through commercial launch and ultimately product/product family decommissioning (10%) Governance, Risk & Compliance – Lead the creation and management of governance, compliance and risk-based controls. This includes, but is not limited toPolicy, Standards, Regulatory Requirements, Risk Assessments, Audits, Inventory tracking, etc (10%) Product Cyber Security Risk Management and Threat Modelling – Lead the creation and maintenance of Product Cyber Security Risk Registers and Threat Models (STRIDE, Kill Chain Analysis) (10%) Testing & Protections – Lead the creation and management of technical controls to mitigate and/or retire cyber security risks. Develop technical solutions and integrate automated security tools and processes to help mitigate security vulnerabilities. This includes but is not limited to Vulnerability Testing, Penetration Testing, Code Analysis, Endpoint Protections, etc (5%) Incident Response – support best practice (ISO 29147/30111) product cyber security incident response services (IR) (5%) Outward Facing – Provide technical leadership and competency in communications with stakeholders outside of . Help to answer questions regarding the security of different products. This includes but is not limited toRegulators, Customers, Auditors, Industry Groups, Researchers, etc Education: Bachelor’s degree REQUIRED in life science, computer science, information systems and/or equivalent formal training or work experience. Eight (8) years of experience in product security or IT information security. Licenses/ Certifications: Current CISSP, CRISC, CISA, GIAC or equivalent certification preferred. SANS-related certifications Education Experience: 8 years of experience as an Information Security professional 4 years in hands-on product security experience. Strong understanding of mitigating security controls Vulnerability Management, Penetration Testing, Code Security Security Governance models IT Risk and Vendor Risk Assessments FDA and other medical device regulators Experience working with customers such as Healthcare Delivery Organizations, Hospitals and physician practices Knowledge of cyber security standard frameworks such as ISO and NIST Understanding of network infrastructure, including firewalls, web proxy and/or email architecture- particularly as they apply in a mitigating control functionality Experience with different cloud computing platforms and the cloud security framework. Ability to design, recommend, plan, develop and support implementation of innovative security solutions. Creating and implementing corporate strategies. Competences: Excellent written and oral communication skills. Excellent customer service skills and problem resolution. Experience in being able to manage and prioritize multiple tasks in an effective manner. Ability to work independently without daily direction. Working across business lines Understand the current Medical Device market, including what customers want to see with regards to product security Understanding of back-channels typically used by threat actors for malicious activity. Understanding of obfuscation techniques and best practices for ensuring device non-attribution. Understanding of network and endpoint technologies Understanding of different connectivity protocols and any risks involved with them. Strong communication & organizational skills, ability to multi-task, strong attention to details, excellent problem solving and follow-up skills required. Key Skills and Responsibilities (SFIA Based): SCAD – Level 3 – Investigates minor security breaches in accordance with established procedures. Assists users in defining their access rights and privileges. Performs non-standard security administration tasks and resolves security administration issues. SINT – Level 4 – Provides technical expertise to enable the configuration of software, other system components and equipment for systems testing. Collaborates with technical teams to develop and agree system integration plans and report on progress. Defines complex/new integration builds. Ensures that integration test environments are correctly configured. Designs, performs and reports results of tests of the integration build. Identifies and documents system integration components for recording in the configuration management system. Recommends and implements improvements to processes and tools. SWDN – Level 4 – Designs software components and modules using appropriate modelling techniques following agreed software design standards, patterns and methodology. Creates and communicates multiple design views to identify and balance the concerns of all stakeholders of the software design and to allow for both functional and non-functional requirements. Identifies and evaluates alternative design options and trade-offs. Recommends designs which take into account target environment, performance security requirements and existing systems. Reviews, verifies and improves own designs against specifications. Leads reviews of others designs. Models, simulates or prototypes the behaviour of proposed software to enable approval by stakeholders, and effective construction of the software. Verifies software design by constructing and applying appropriate methods. SCTY – Level 6 – Develops and communicates corporate information security policy, standards and guidelines. Contributes to the development of organisational strategies that address information control requirements. Identifies and monitors environmental and market trends and pro-actively assesses impact on business strategies, benefits and risks. Leads the provision of authoritative advice and guidance on the requirements for security controls in collaboration with experts in other functions such as legal, technical support. Ensures architectural principles are applied during design to reduce risk and drives adoption and adherence to policy, standards and guidelines. DESN – Level 4 – Designs components using appropriate modelling techniques following agreed architectures, design standards, patterns and methodology. Identifies and evaluates alternative design options and tradeoffs. Creates multiple design views to address the concerns of the different stakeholders of the architecture and to handle both functional and non-functional requirements. Models, simulates or prototypes the behaviour of proposed systems components to enable approval by stakeholders. Produces detailed design specification to form the basis for construction of systems. Reviews, verifies and improves own designs against specifications. PROG – Level 4 – Designs, codes, verifies, tests, documents, amends and refactors complex programs/scripts and integration software services. Contributes to selection of the software development approach for projects, selecting appropriately from predictive (plan-driven) approaches or adaptive (iterative/ agile) approaches. Applies agreed standards and tools, to achieve well-engineered outcomes. Participates in reviews of own work and leads reviews of colleagues’ work. TEST – Level 5 – Coordinates and manages planning of the system and/or acceptance tests, including software security testing, within a development or integration project or programme. Takes responsibility for integrity of testing and acceptance activities and coordinates the execution of these activities. Provides authoritative advice and guidance on any aspect of test planning and execution. Defines and communicates the test strategy for the project. Manages all test processes, including test plans, resources, costs, timescales, test deliverables and traceability. Manages client relationships with respect to testing matters. Identifies process improvements, and contributes to corporate testing standards and definition of best practice. BURM – Level 5 – Carries out risk assessment within a defined functional or technical area of business. Uses consistent processes for identifying potential risk events, quantifying and documenting the probability of occurrence and the impact on the business. Refers to domain experts for guidance on specialised areas of risk, such as architecture and environment. Co-ordinates the development of countermeasures and contingency plans. PENT – Level 5 – Coordinates and manages planning of penetration tests, within a defined area of business activity. Delivers objective insights into the existence of vulnerabilities, the effectiveness of defenses and mitigating controls – Nesco Resource is an equal employment opportunity employer and does not discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, disability, age, or veteran status, or any other legally protected characteristics with respect to employment opportunities. Job Requirements: