Hawaii Staffing
Senior Information Assurance Analyst - Oahu
Hawaii Staffing, Honolulu, Hawaii, United States, 96814
Senior Information Assurance Analyst
The P EJ INFORMATION ASSURANCE Department of the P INFORMATION ASSURANCE Division at Hawaiian Electric Company has one management vacancy available. (Role: Professional) JOB FUNCTION: Oversees or performs the assessments of company systems and networks and identifies where those systems/networks deviate from cybersecurity policies, acceptable configurations, or guidance. Provides consulting-level knowledge and expertise for the Information Assurance (IA) division, which includes development and enforcement of cybersecurity policies & standards, cybersecurity risk management activities, information technology (IT) and operational technology (OT) compliance, and secure integration of grid technologies and cloud services. Supports development of detailed plans and provides requirements for information systems' security controls and security monitoring solutions. Performs security control reviews to validate the security controls as designed are operating effectively. Develops policies, standards, and procedures to ensure that security controls are adequately designed. ESSENTIAL FUNCTIONS: Performs cybersecurity assessments and provides security control requirements for IT and OT projects, including externally hosted applications and grid technology projects. Develops and manages programs and processes for privacy, e-discovery, security awareness training, digital forensics, patch management, vulnerability remediation, and other security and compliance programs. Supports detailed review and approval processing for various policies, processes, and procedures necessary to support the company's cybersecurity security and compliance requirements. Ensures that adequate and proper internal controls, processes, practices, and standards are developed, maintained, and tested in order to meet the company's policy and compliance requirements. Supports the business continuity planning, disaster recovery planning, and the company's Cybersecurity Incident Management Team (CS-IMT), with occasional on-call support. Participates in company emergency response activities as assigned, including any activities required to prepare for such emergency response. BASIC QUALIFICATIONS: Knowledge Requirements: Computer networking concepts and protocols, and network security methodologies. Risk management processes (e.g., methods for assessing and mitigating risk). Cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. Cyber threats and vulnerabilities. Cryptography and cryptographic key management concepts. Data backup and recovery concepts. Host/network access control mechanisms (e.g., access control list, capabilities list). Network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). Traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). Programming language structures and logic. System and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). Network attacks and a network attack's relationship to both threats and vulnerabilities. System administration, network, and operating system hardening techniques. Different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks). Different cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). Different cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.). Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Specific operational impacts of cybersecurity lapses. Security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). Ethical hacking principles and techniques. Penetration testing principles, tools, and techniques. Conceptual knowledge of National Institute and Standards and Technology (NIST) Standards, ISO 27000 series, OWASP, and other security related frameworks and standards. Conceptual knowledge of utility business and related Operational Technology Systems (SCADA, DCS, etc.). Skills Requirements: Conducting vulnerability scans and recognizing vulnerabilities in security systems. Assessing the robustness of security systems and designs. Detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort). Mimicking threat behaviors. Use of penetration testing tools and techniques. Use of social engineering techniques (e.g., phishing, baiting, tailgating, etc.). Use of network analysis tools to identify vulnerabilities (e.g., fuzzing, nmap, etc.). Reviewing logs to identify evidence of past intrusions. Conducting application vulnerability assessments. Performing impact/risk assessments. Developing insights about the context of an organization's threat environment. Collaborating with teammates and other employees. Communicating effectively in writing and verbally. Proven ability to analyze highly complex systems, demonstrating critical thinking skills, independent judgment, and the ability to work toward consensus in a complex business environment. Ability to operate autonomously with only general direction and guidance. Experience Requirements: Advanced (7-10 years) analysis and/or leadership experience in a multi-level service or consulting organization, preferably in an information technology, application security, network security or quality assurance capacity. Information security experience is required. One or more of the following certifications (others will be considered): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), GIAC Security Leadership (GSLC), Certified Cloud Security Professional (CCSP), Security + , Systems Security Certified Professional (SSCP) Location: Honolulu Oahu Hiring Range: The hiring range for the Senior Information Assurance Analyst position is $107,700.00 to $139,800.00. The person selected will be placed according to his/her skills and qualifications. About Hawaiian Electric Companies Hawaiian Electric Companies provide electricity and services to 95 percent of the state's 1.4 million residents. The company is also one of the state's leading employers and a major contributor and supporter of community and educational programs. The demand for power that has fueled the growth of the Hawaiian Islands has been met by Hawaiian Electric Companies for well over a century. And as the next millennium unfolds, the company is committed to providing quality service and seeking clean local energy sources to power generations of Hawaii families and businesses to come.
The P EJ INFORMATION ASSURANCE Department of the P INFORMATION ASSURANCE Division at Hawaiian Electric Company has one management vacancy available. (Role: Professional) JOB FUNCTION: Oversees or performs the assessments of company systems and networks and identifies where those systems/networks deviate from cybersecurity policies, acceptable configurations, or guidance. Provides consulting-level knowledge and expertise for the Information Assurance (IA) division, which includes development and enforcement of cybersecurity policies & standards, cybersecurity risk management activities, information technology (IT) and operational technology (OT) compliance, and secure integration of grid technologies and cloud services. Supports development of detailed plans and provides requirements for information systems' security controls and security monitoring solutions. Performs security control reviews to validate the security controls as designed are operating effectively. Develops policies, standards, and procedures to ensure that security controls are adequately designed. ESSENTIAL FUNCTIONS: Performs cybersecurity assessments and provides security control requirements for IT and OT projects, including externally hosted applications and grid technology projects. Develops and manages programs and processes for privacy, e-discovery, security awareness training, digital forensics, patch management, vulnerability remediation, and other security and compliance programs. Supports detailed review and approval processing for various policies, processes, and procedures necessary to support the company's cybersecurity security and compliance requirements. Ensures that adequate and proper internal controls, processes, practices, and standards are developed, maintained, and tested in order to meet the company's policy and compliance requirements. Supports the business continuity planning, disaster recovery planning, and the company's Cybersecurity Incident Management Team (CS-IMT), with occasional on-call support. Participates in company emergency response activities as assigned, including any activities required to prepare for such emergency response. BASIC QUALIFICATIONS: Knowledge Requirements: Computer networking concepts and protocols, and network security methodologies. Risk management processes (e.g., methods for assessing and mitigating risk). Cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. Cyber threats and vulnerabilities. Cryptography and cryptographic key management concepts. Data backup and recovery concepts. Host/network access control mechanisms (e.g., access control list, capabilities list). Network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). Traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). Programming language structures and logic. System and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). Network attacks and a network attack's relationship to both threats and vulnerabilities. System administration, network, and operating system hardening techniques. Different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks). Different cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). Different cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.). Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Specific operational impacts of cybersecurity lapses. Security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). Ethical hacking principles and techniques. Penetration testing principles, tools, and techniques. Conceptual knowledge of National Institute and Standards and Technology (NIST) Standards, ISO 27000 series, OWASP, and other security related frameworks and standards. Conceptual knowledge of utility business and related Operational Technology Systems (SCADA, DCS, etc.). Skills Requirements: Conducting vulnerability scans and recognizing vulnerabilities in security systems. Assessing the robustness of security systems and designs. Detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort). Mimicking threat behaviors. Use of penetration testing tools and techniques. Use of social engineering techniques (e.g., phishing, baiting, tailgating, etc.). Use of network analysis tools to identify vulnerabilities (e.g., fuzzing, nmap, etc.). Reviewing logs to identify evidence of past intrusions. Conducting application vulnerability assessments. Performing impact/risk assessments. Developing insights about the context of an organization's threat environment. Collaborating with teammates and other employees. Communicating effectively in writing and verbally. Proven ability to analyze highly complex systems, demonstrating critical thinking skills, independent judgment, and the ability to work toward consensus in a complex business environment. Ability to operate autonomously with only general direction and guidance. Experience Requirements: Advanced (7-10 years) analysis and/or leadership experience in a multi-level service or consulting organization, preferably in an information technology, application security, network security or quality assurance capacity. Information security experience is required. One or more of the following certifications (others will be considered): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), GIAC Security Leadership (GSLC), Certified Cloud Security Professional (CCSP), Security + , Systems Security Certified Professional (SSCP) Location: Honolulu Oahu Hiring Range: The hiring range for the Senior Information Assurance Analyst position is $107,700.00 to $139,800.00. The person selected will be placed according to his/her skills and qualifications. About Hawaiian Electric Companies Hawaiian Electric Companies provide electricity and services to 95 percent of the state's 1.4 million residents. The company is also one of the state's leading employers and a major contributor and supporter of community and educational programs. The demand for power that has fueled the growth of the Hawaiian Islands has been met by Hawaiian Electric Companies for well over a century. And as the next millennium unfolds, the company is committed to providing quality service and seeking clean local energy sources to power generations of Hawaii families and businesses to come.