Senior Information Security Engineer - Compliance and Vulnerability Management
HeartFlow, Inc. is dedicated to making our products and technologies as secure as possible. The Senior Information Security Engineer reports to the Senior Manager, Information Security Operations, and works closely with development teams, CorpIT (Information Technology) teams, and other teams across the organization to assure vulnerabilities within the HeartFlow global enterprise are identified, validated and mitigated in a timely manner. In addition, this position will validate compliance with information security policies and standards by conducting regular audits of the HeartFlow enterprise.
Work independently with developers, system/network administrators, product owners, and other colleagues to ensure secure design, development, and implementation of applications and networks
- Conduct recurring scans and audit and track mitigation activities through to completion
- Conduct both self-assessments and coordinate third party risk assessments of technology infrastructure and operational processes and controls for assigned areas
- Conduct scheduled, targeted (in response to advisories and remediation verification) and ad-hoc IT compliance audits and vulnerability scans for the HeartFlow global enterprise
- Investigate and validate risk levels associated with vulnerabilities identified via vulnerability scanning tools (Nessus, Dome9 and Tennable.io)
- Provide remediation guidance and recommendations and coordinate with Development Operations, CorpIT and other teams as needed to provide oversight to the remediation and/or mitigation of enterprise vulnerabilities
- Maintain and improve upon, as necessary, the existing IT and vulnerability management infrastructure, including maintenance of scanning tools, licensing, procedures, reporting, and associated communications (downtimes, upgrades, report changes, etc.)
- Create processes and workflows for all aspects of IT compliance auditing and vulnerability management. Work with cross-functional teams to improve processes, workflows and operational efficiencies
- Utilize proven sources to maintain an awareness of prevailing and emerging vulnerabilities to proactively address vulnerabilities as early as possible
- Provide recurring and ad-hoc vulnerability reports upon request
- Establish appropriate vulnerability management calendar, schedule engagements and track activities to completion. Maintain history of scans and activities for future reference
- Maintain and report out on the HeartFlow Information Security Risk Register
- Special projects including but not limited to tasks associated with HeartFlow’s Information Security Program
Technical Skills Needed:
- Direct experience with maintaining and utilizing common commercial and open sourced vulnerability scanning and security auditing tools (Nesuss, Nexpose, OpenVAS, etc.) in both cloud (virtual machines, AWS, Azure, etc.) and conventional (physical endpoints, servers, etc.) environments
- Thorough understanding of network defense technologies, TCP/IP networking, Active Directory, DHCP, DNS, network security monitoring tools, secure engineering principles and technical security testing methodologies
- Experience with one or more scripting languages (Perl, Python, or other) in an incident response environment
- Extensive Windows, Mac, Linux and Unix experience including deep knowledge of file system layout, log file analysis, timeline creation, and common configuration deficiencies
- Desktop, server, application, database, and network security hardening principles and practices for threat prevention
- Experience working as part of a patch management process and a familiarity with patching tools (i.e. SCCM, JAMF, KACE, etc.)
- Knowledge of methods for on-going evaluation of the effectiveness and applicability of information security controls (e.g., vulnerability testing, and assessment tools).
- Ability to understand information security and information technology risks associated with vulnerability testing, patch management, and secure configuration management.
- Ability to analyze and prioritize vulnerabilities to appropriately characterize threats and provide remediation advice.
- Familiarity with classes of vulnerabilities, appropriate remediation, and industry-standard classification schemes (CVE, CVSS, CPE).
Soft Skills Needed
- High ethical standards, integrity, and commitment to compliance
- Knowledge of common attack methodologies; common types of security vulnerabilities;
- Proficiency in the use of manual and automated techniques for scanning, vulnerability, and penetration testing of networks, applications, operating systems, databases, and email systems
- Effective communication and presentation skills with demonstrated ability to prepare documentation and presentations for technical and non-technical audiences.
- Excellent written and verbal communication skills, interpersonal and collaborative skills
- Must be a critical thinker, with strong problem-solving skills
- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity
- Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations and best practices.
- Experience dealing with all levels of management and across different teams, including managing conflicts
About HeartFlow, Inc.:
HeartFlow, Inc. is a medical technology company redefining the way heart disease is diagnosed and treated. Our non-invasive HeartFlow FFRct Analysis leverages deep learning to create a personalized 3D model of the heart. By using this model, clinicians can better evaluate the impact a blockage has on blood flow and determine the best treatment for patients. Our technology is reflective of our Silicon Valley roots and incorporates decades of scientific evidence with the latest advances in artificial intelligence. The HeartFlow FFRct Analysis is commercially available in the United States, Canada, Europe and Japan. For more information, visit www.heartflow.com.
HeartFlow, Inc. is an Equal Opportunity Employer. This company does not and will not discriminate in employment and personnel practices based on race, sex, age, handicap, religion, national origin or any other basis prohibited by applicable law. Hiring, transferring and promotion practices are performed without regard to the above listed items.