Security Analyst II

GCI's Security Analyst II will work within management and operation of enterprise-wide vulnerability scanning; enables the business to operate securely, protect its people, defend its assets, and preserve shareholder value. The position accomplishes this by administering and operating a vulnerability scanning platform to identify hardware, operating system, and application vulnerabilities within the environment.

ESSENTIAL DUTIES AND RESPONSIBILITIES FOR ALL LEVELS:

Security Operations (prevention & identification):

• Maintain daily security operational procedures, tasks, and controls.

• Manage and communicate the current threat landscape, identifying and orchestrating the mitigation of threats and vulnerabilities.

• Manage security controls, product updates, procedures, and tools to defend assets against vulnerabilities that put them at risk.

• Manage security configurations, standards and rules for the vulnerability scanning platform, including policy assessment, reporting, tuning, troubleshooting and vendor escalations.

• Maintain appropriate access to the vulnerability scanning platform and work with other business units to ensure visibility and scan quality.

Vulnerability Management Program:

• Assist in the development of security policies, procedures & standards.

• Perform periodic risk-based assessments of systems, networks, and applications to help operational teams prioritize and escalate remediation efforts.

• Stay current with industry security advances or potential security/fraud problems, compliance, and regulatory trends about new technology and best practices.

• Serve as subject matter expert to business areas, project teams and ensure the appropriate implementation of vulnerability scanning.

• Support audit processes and remediation plans

• Support the security awareness and training objectives of the Enterprise Security Office

Competencies

• Demonstrated commitment to GCI's core values of diversity, equity, and inclusion (DEI) by promoting and maintaining an inclusive and equitable work environment for all employees and contractors, and in interactions with customers, vendors, and the public.

• ACCOUNTABILITY- Takes ownership for actions, decisions, and results; openly accepts feedback and demonstrates a willingness to improve. Ability and capability to work with only minimal supervision.

• BASIC PRINCIPLES - Interacts with people in a way that builds mutual trust, confidence, and respect; adheres to GCI's Code of Conduct for Employees - the Basic Principles.

• COLLABORATION - Works effectively with others to accomplish common goals and objectives; maintains positive relationships even under difficult circumstances. Ability to develop and maintain productive relationships with peers, subordinates, and managers across the enterprise.

• COMMUNICATION- Conveys thoughts and expresses ideas appropriately and professionally. Demonstrated ability to discuss complex technical details with extended support staff and translate into non-technical communication.

• COMPLIANCE - Follows internal controls; protects confidential information; abides by GCI's Code of Business Conduct & Ethics. Model example of integrity and trustworthiness, honors the confidentiality of information entrusted to them and promotes and fosters the mission statement for the Enterprise Security Office.

• CUSTOMER FOCUS - Demonstrates commitment to service excellence; gives high priority to customer satisfaction. A strong customer/client focus, with the ability to manage expectations appropriately, to provide a superior customer/client experience and build long-term relationships.

• RELIABILITY - Consistently follows through on assigned tasks as expected; demonstrates timely attendance at meetings, training, and other work obligations.

• RESULTS - Uses a combination of job knowledge, initiative, sound decision making, innovation, adaptability, and problem solving. Demonstrated ability to move easily between detail and conceptual levels and work on multiple projects with varying and changing priorities and timelines. Strong analytical skills to analyze security requirements and relate them to appropriate security controls.

• In-depth knowledge and understanding of an enterprise-class vulnerability scanning platform deployed across a large and diverse technology environment with thousands of assets.

• Proficiency in performing risk and vulnerability assessments.

• Knowledge of and experience in developing and documenting security architecture and plans, including strategic, tactical and project plans.

• Audit, compliance, and governance familiarity

• Familiarity with privacy and compliance standards, such as SOX, HIPAA and PCI-DSS

• Knowledge of the fundamentals of project management, and experience with creating and managing project plans, including budgeting and resource allocation

• Experience in IT processes including incident management, problem management, change management, and release management.

• SAFETY & SECURITY - Supports a safe work environment by following all workplace safety rules and guidelines; complies with applicable Security policies and procedures. Demonstrated ability to keep confidential information secure.

• DECISION MAKING: Uses sound, logical judgment based on department and company policy and procedures, data, research, and experience to choose an appropriate course of action.

• Strong understanding of business applications and financial systems.

• Excellent technical knowledge of mainstream operating systems, for example Microsoft and Linux, and a wide range of security technologies, such as network security appliances, Identity and Access Management (IAM) systems, anti-malware solutions, automated policy compliance tools, and desktop security tools.

• Knowledge of network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.

• Familiarity with configuration benchmarks such as CIS, STIG and SCAP

• Familiarity with frameworks and standards, such as ISO 2700x, ITIL, COBIT, and NIST frameworks.

Technical Competencies

• Proficient computer skills and MS Office knowledge (e.g., Outlook, Teams, Word, Excel) to use the company intranet.

• Strong understanding of business applications and financial systems.

• Excellent technical knowledge of mainstream operating systems, for example Microsoft and Linux, and a wide range of security technologies, such as network security appliances, Identity and Access Management (IAM) systems, anti-malware solutions, automated policy compliance tools, and desktop security tools.

• Knowledge of network infrastructure, including routers, switches, firewalls, and the associated network protocols and concepts.

• Familiarity with configuration benchmarks such as CIS, STIG and SCAP

• Familiarity with frameworks and standards, such as ISO 2700x, ITIL, COBIT, and NIST frameworks.

Level Definition

Position Title: Security Analyst II

Grade: E06

Additional Job Requirements:

This is a mid-level position requiring the ability to work independently while performing moderately complex and diverse duties under deadlines and operating constraints. Must be capable of performing the role of "Security Analyst" for smaller, less complex projects. Must have a comprehensive understanding of company operations, functions, and business philosophy. Requires ability to make and implement routine operational decisions. Position functions under moderate supervision.

• Mentor and training Analysts, I

• Improve and enhance daily security operational procedures, tasks, and controls.

• Create and implement security controls, procedures, and tools to defend people and assets against current and emerging security threats/risks.

• Define security configurations, standards, and rules for security systems and applications, including policy assessment and compliance tools, network security appliances, and host-based security systems.

• Receive and review audit findings, manage the collection of responses and remediation plans.

Minimum Qualifications:

Required: *A combination of relevant work experience and/or education sufficient to perform the duties of the job may substitute to meet the total years required on a year-for-year basis.

• High School diploma or equivalent.

• Bachelor's degree in computer science, technology, security, or related field. *

• Minimum of three (3) years' experience in information security, information technology infrastructure, programming development, support, operations, systems, security, administration, access control, cryptography, architecture, analysis, disaster recovery, investigations, compliance, or technical legal areas (such as those involved in law enforcement, prosecution, defense, or forensics). *

• Including two (2) years' experience in involving vulnerability management duties.

Preferred:

• CEH: Certified Ethical Hacker

• GSEC / GCIH/ GCIA: GIAC Security Certifications

• ECSA: EC-Council Certified Security Analyst

• GCPM: GIAC Certified Project Manager

• CISA: Certified Information Security Auditor

• CCFP: Certified Cyber Forensics Professional

• CRISA: Certified in Risk and Information Systems Control

• CISSP: Certified Information Systems Security Professional

• CISM: Certified Information Systems Manager

• GSLC: GIAC Security Leadership

• CSX Certificate, CSX Practitioner, or CSX Specialist

• Other applicable telecom industry, IT, Information Security and Compliance related Certifications.

Required at ALL Levels

DRIVING REQUIREMENTS:

• This position may require access to reliable transportation for occasional travel, such as, between retail store locations, offices, worksites, or other locations as needed.

PHYSICAL REQUIREMENTS AND WORKING CONDITIONS:

• Work is primarily sedentary, requiring daily routine computer usage.

• Ability to work shifts as assigned, work in standard office/home office setting, and operate standard office equipment.

• Ability to accurately communicate information and ideas to others effectively.

• Physical agility and effort sufficient to perform job duties safely and effectively.

• Ability to make valid judgments and decisions.

• Available to work additional time on weekends, holidays, before or after normal work hours when necessary.

• Work is performed at a variety of GCI locations or remotely.

• Travel for business and training purposes is required.

• Position is expected to work a rotational 7/24 on-call schedule and is subject to call-in as required.

• Must work well in a team environment and be able to work with a diverse group of people and customers.

• Virtual workers must comply with remote work policies and agreements.

• Background /Security Conditions: Based on the position's business needs, background and security checks are subject to Level 3 background, credit check and drug testing; these background and security checks will be conducted on a three-year rotation basis, or periodically based on specific contract requirements. GCI will ensure that background checks are conducted in compliance with all applicable federal and state statutes, such as the Fair Credit Reporting Act (FCRA) and the Americans with Disabilities Act (ADAAA).

The company and its subsidiaries operate in a 24/7 environment providing critical services to Alaskans and may need to respond to public health and safety matters or other business emergencies. Due to business needs employees may be contacted outside of the core business hours to respond to an immediate emergency. As such, you will be requested to provide emergency after hours contact numbers, to include your home and cell phone numbers if you have those services. EEO: GCI is an equal opportunity employer. Qualified applicants are considered for employment without regard to race, color, religion, national origin, age, sex, sexual orientation, gender identity, marital status, mental or physical disability, veteran status, or any other status or classification protected under applicable state or federal law. DISCLAIMER: The above information on this description has been designed to indicate the general nature and level of work performed by employees within this classification. It is not designed to contain or be interpreted as a comprehensive inventory of all duties, responsibilities, and qualifications required of employees assigned to this job.