Senior Security Engineer (Systems Certification And Accreditation)

Marriott International Bethesda , MD 20813

Posted 2 months ago

Marriott International is the world's largest hotel company, with more brands, more hotels and more opportunities for associates to grow and succeed. We believe a great career is a journey of discovery and exploration. So, we ask, where will your journey take you?

JOB SUMMARY

Advises and assists Information System Owners with vulnerability remediation and secure implementation of full technology stack (e.g. application, middleware, database, servers, etc.). Analyzes system security plans, certification and accreditation (C&A) documentation to determine system fitness for operation. Works closely with vulnerability management, risk management, application security and security architecture to accredit and authorize systems for operational release. Implements and reviews standards, policies and procedures to enhance security certification and accreditation processes. Performs certification activities on an as needed basis which may include, code reviews, configuration audits, application security assessments, vulnerability assessments and security control assurance validation. This position requires a candidate with broad knowledge in network security, application security and risk management. Candidate will lead setting the strategy for the configuration, deployment and management of vulnerably management solutions.

CANDIDATE PROFILE

Education and Experience

Required:

  • Undergraduate degree in Cyber Security, Computer Science or related field or equivalent experience/certification.

  • 7 years of experience in Information Security with at least 3 years of:

  • Performing risk assessments and analysis within Information Technology.

  • Performing quality assurance, basic software development and software project management.

  • 2 years' experience in

  • Conducting qualitative risk management concepts

  • Use of at least one of the following general-purpose scripting language (i.e. Python, Perl, PHP, VB Script, PowerShell).

  • Application of general application security concepts (i.e. OWASP Top 10, MITRE CWE & CAPEC).

  • 1 years' experience with:

  • Common web technologies (i.e. Docker, Kubernetes, Kafka, WAS, Tomcat, JBoss).

  • Web Application Security technology and principals (i.e. network segmentation, multi-tier architectures, microservice architecture, transport encryption, tunneling, SAML, OAuth/OIDC, web application firewalls).

  • All phases of Certification and Accreditation

Preferred:

  • Graduate degree in Cyber Security, Computer Science or related field.

  • Current information security certification, such as: Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), GIAC Enterprise Vulnerability Assessor (GEVA), Certified Secure Software Lifecycle Professional (CSSLP).

  • Strong knowledge of vulnerability remediation methods beyond patching (secure configuration, attack surface area reduction, secure code implementation, zero trust networking concepts).

  • Demonstrated leadership experience in a sourced environment.

  • Demonstrated ability to work independently and with others.

  • Demonstrated ability to working in high velocity and complex environments.

  • Experience with setting the strategy for the configuration, deployment and management of vulnerably management solutions (i.e. Nessus Professional, Tenable Security Center and Tenable.io.)

  • Current cloud security certification, including AWS Certified Security - Specialty, GCP Professional Cloud Security Engineer

  • Proficient in quantitative risk management concepts.

  • Experience with performing SAST/DAST and Penetration Tests.

  • Experience with Fortify SCA/SSC.

  • 5 years of experience in infrastructure engineering (building, patching and managing RHEL systems at scale)

  • Proficient in at least one general-purpose system language (i.e. Java, C/C , Golang, C#, Objective-C).

CORE WORK ACTIVITIES

  • Lead setting the strategy for the configuration, deployment and management of vulnerably management solutions (i.e. Nessus Professional, Tenable Security Center and Tenable.io.).

  • Perform comprehensive assessments of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly and producing the desired outcome, relative to the security requirements.

  • Initiate and/or evaluate vulnerability scans against application source code and infrastructure as needed to certify and accredit systems.

  • Manage third party security service provider resources or services that contribute to system certification assessments.

  • Analyze system architectures and designs to identify deficiencies in security control implementation, secure configuration and mitigation of security risk.

  • Provides authorization to operate, interim authorization to operate or denial of authorization to operate based on certification and accreditation state.

  • Review security accreditation packages (approved system security plans, security assessment report, plan of actions and milestones).

  • Respond to production risk analysis inquiries and provide guidance based on previously authorized releases and accreditation packages.

  • Leverage vulnerability scanning platforms (i.e. Fortify SCA, WebInspect, Netsparker, Zap, BurpSuite, Aqua CSP, Tenable.io) to perform detailed vulnerability assessments of applications and systems.

  • Provide patching guidance based on information provided by vulnerability assessment tools and vendor supplied remediation data.

Technical Leadership

  • Trains and/or mentors other team members, and peers as appropriate

  • Provides financial input on department or project budgets, capital expenditures or other cost/resource estimates as requested

  • Identifies opportunities to enhance existing processes

IT Governance

  • Follows all defined IT standards and processes (i.e. IT Governance, SM&G, Architecture, etc.), and provides input for improvements to the appropriate process owners as needed

  • Maintains a proper balance between business and operational risk

Follows the defined project management standards and processes

Marriott International is an equal opportunity employer committed to hiring a diverse workforce and sustaining an inclusive culture. Marriott International does not discriminate on the basis of disability, veteran status or any other basis protected under federal, state or local laws.


icon no score

See how you match
to the job

Find your dream job anywhere
with the LiveCareer app.
Mobile App Icon
Download the
LiveCareer app and find
your dream job anywhere
App Store Icon Google Play Icon
lc_ad

Boost your job search productivity with our
free Chrome Extension!

lc_apply_tool GET EXTENSION

Similar Jobs

Want to see jobs matched to your resume? Upload One Now! Remove
Senior Security Engineer (Systems Certification And Accreditation)

Imperial Hotel Group

Posted 2 months ago

VIEW JOBS 4/17/2020 12:00:00 AM 2020-07-16T00:00 Posting Date Apr 16, 2020 Job Number 20032970 Job Category Information Technology Location Marriott International HQ, 10400 Fernwood Road, Bethesda, Maryland, United States VIEW ON MAP Brand Corporate Schedule Full-time Relocation? No Position Type Management Start Your Journey With Us Marriott International is the world's largest hotel company, with more brands, more hotels and more opportunities for associates to grow and succeed. We believe a great career is a journey of discovery and exploration. So, we ask, where will your journey take you? JOB SUMMARY Advises and assists Information System Owners with vulnerability remediation and secure implementation of full technology stack (e.g. application, middleware, database, servers, etc.). Analyzes system security plans, certification and accreditation (C&A) documentation to determine system fitness for operation. Works closely with vulnerability management, risk management, application security and security architecture to accredit and authorize systems for operational release. Implements and reviews standards, policies and procedures to enhance security certification and accreditation processes. Performs certification activities on an as needed basis which may include, code reviews, configuration audits, application security assessments, vulnerability assessments and security control assurance validation. This position requires a candidate with broad knowledge in network security, application security and risk management. Candidate will lead setting the strategy for the configuration, deployment and management of vulnerably management solutions. CANDIDATE PROFILE Education and Experience Required: * Undergraduate degree in Cyber Security, Computer Science or related field or equivalent experience/certification. * 7+ years of experience in Information Security with at least 3 years of: * Performing risk assessments and analysis within Information Technology. * Performing quality assurance, basic software development and software project management. * 2+ years' experience in * Conducting qualitative risk management concepts * Use of at least one of the following general-purpose scripting language (i.e. Python, Perl, PHP, VB Script, PowerShell). * Application of general application security concepts (i.e. OWASP Top 10, MITRE CWE & CAPEC). * 1+ years' experience with: * Common web technologies (i.e. Docker, Kubernetes, Kafka, WAS, Tomcat, JBoss). * Web Application Security technology and principals (i.e. network segmentation, multi-tier architectures, microservice architecture, transport encryption, tunneling, SAML, OAuth/OIDC, web application firewalls). * All phases of Certification and Accreditation Preferred: * Graduate degree in Cyber Security, Computer Science or related field. * Current information security certification, such as: Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), GIAC Enterprise Vulnerability Assessor (GEVA), Certified Secure Software Lifecycle Professional (CSSLP). * Strong knowledge of vulnerability remediation methods beyond patching (secure configuration, attack surface area reduction, secure code implementation, zero trust networking concepts). * Demonstrated leadership experience in a sourced environment. * Demonstrated ability to work independently and with others. * Demonstrated ability to working in high velocity and complex environments. * Experience with setting the strategy for the configuration, deployment and management of vulnerably management solutions (i.e. Nessus Professional, Tenable Security Center and Tenable.io.) * Current cloud security certification, including AWS Certified Security - Specialty, GCP Professional Cloud Security Engineer * Proficient in quantitative risk management concepts. * Experience with performing SAST/DAST and Penetration Tests. * Experience with Fortify SCA/SSC. * 5+ years of experience in infrastructure engineering (building, patching and managing RHEL systems at scale) * Proficient in at least one general-purpose system language (i.e. Java, C/C++, Golang, C#, Objective-C). CORE WORK ACTIVITIES * Lead setting the strategy for the configuration, deployment and management of vulnerably management solutions (i.e. Nessus Professional, Tenable Security Center and Tenable.io.). * Perform comprehensive assessments of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly and producing the desired outcome, relative to the security requirements. * Initiate and/or evaluate vulnerability scans against application source code and infrastructure as needed to certify and accredit systems. * Manage third party security service provider resources or services that contribute to system certification assessments. * Analyze system architectures and designs to identify deficiencies in security control implementation, secure configuration and mitigation of security risk. * Provides authorization to operate, interim authorization to operate or denial of authorization to operate based on certification and accreditation state. * Review security accreditation packages (approved system security plans, security assessment report, plan of actions and milestones). * Respond to production risk analysis inquiries and provide guidance based on previously authorized releases and accreditation packages. * Leverage vulnerability scanning platforms (i.e. Fortify SCA, WebInspect, Netsparker, Zap, BurpSuite, Aqua CSP, Tenable.io) to perform detailed vulnerability assessments of applications and systems. * Provide patching guidance based on information provided by vulnerability assessment tools and vendor supplied remediation data. Technical Leadership * Trains and/or mentors other team members, and peers as appropriate * Provides financial input on department or project budgets, capital expenditures or other cost/resource estimates as requested * Identifies opportunities to enhance existing processes IT Governance * Follows all defined IT standards and processes (i.e. IT Governance, SM&G, Architecture, etc.), and provides input for improvements to the appropriate process owners as needed * Maintains a proper balance between business and operational risk Follows the defined project management standards and processes Marriott International is an equal opportunity employer committed to hiring a diverse workforce and sustaining an inclusive culture. Marriott International does not discriminate on the basis of disability, veteran status or any other basis protected under federal, state or local laws. Imperial Hotel Group Bethesda MD

Senior Security Engineer (Systems Certification And Accreditation)

Marriott International