Location: San Francisco, CA
Remote Employment: Flexible/Hybrid
DEADLINE TO APPLY IS WEDNESDAY, FEBRUARY 1, 2023 AT 11:59 PMIF YOU ARE INTERESTED, PLEASE APPLY IMMEDIATELY First round interviews tentatively scheduled for Thursday, February 9, 2023
A resume and cover letter are not required with your application, but highly encouraged
Be ready to rethink your assumptions about the public sector. Flexible hours? Flexible work location? A beautiful, well-located, high amenity building for on-site work? Yes, yes, and yes!
The Metropolitan Transportation Commission (MTC) is the transportation planning, financing and coordinating agency for the nine-county San Francisco Bay Area. For more information about MTC, visit www.mtc.ca.gov.
MTC is committed to being an equitable and inclusive workplace. The Technology Services Section (TSS) focuses on career and personal development with an emphasis on emotional intelligence, innovation, and a growth mindset. TSS’s vision is to empower the region using innovative technology solutions to connect citizens and enrich and transform how we travel, work and live.
The Information Security Analyst position will be filled at the Associate level and is under the direction of MTC’s Information Security Officer in the Technology Services Section. This position will provide hands-on technical and project management support for various components of the Information Security Program. This role will provide exposure to many areas of information security functions in addition to the focus area of information security operations. The Information Security Analyst will perform other job-related tasks and duties as need or assigned by the TSS Section.
Salary: $111,700.16 – $141,662.98 Annually
Job Type: Regular/Full-Time
Section: Technology Services
Closing: 2/1/2023 11:59 PM Pacific
All employees at MTC are classified as Disaster Services Workers.
SKILLS AND ABILITIES:
The ideal candidate will have the following knowledge, skills and abilities:
- Cybersecurity operations and incident response best practices.
- Security controls and leading security analysis in finding and remediating security threats.
- Understanding of the fundamentals of networking, firewall, secure remote access, identity management solutions, Cloud security, Email and application-level security fundamentals and secure configurations.
- Knowledge or familiarity of standard security frameworks and compliance standards (e.g. NIST CSF, CIS Critical Security Controls, PCI).
- Current and existing cyber threat landscape; this position will require that you stay current with latest trends and developments throughout your employment.
Skills and Abilities:
- Critical and analytical thinking with agile decision-making skills.
- Must have effective verbal and written communication skills.
- Highly collaborative style focused on teamwork.
- Ability to build partnerships with the other IT and business groups.
- Responsiveness and ownership of the work.
- Ability to effectively work with the external software vendors and managed security services providers.
- Project management skills, including identifying security requirements and related technical specifications in a proactive (versus, reactive) manner.
- Ability to manage time effectively and work independently on the assigned projects and ongoing operational duties.
- Ability to create and follow standard processes and procedures, and to document the work in an auditable format.
- Flexibility and working comfortably in ambiguity during a developing situation.
An appropriate combination of education and experience that has provided the required knowledge, skills and abilities is qualifying. A typical way of obtaining the required qualifications is:
Education: A Bachelor’s degree in computer science, information systems or related field. (Applicants with a degree issued from an institution outside the United States must have their transcripts evaluated by an academic accrediting service and provide proof of equivalency along with their application.)
Experience: Five years of increasingly complex work experience in planning, designing and implementing major computer systems and databases, including the equivalent of two years as a Systems Analyst II in MTC. A minimum of one year of verifiable work experience working as an Information Security professional supporting internal IT and business groups, or external customers is required.
Required Certification: An industry standard Information Security certification (e.g. CompTIA Security+, CISSP, CISM) from an accredited educational institute with coursework in Information Security OR a dedicated diploma or certificate course in Information/Cyber Security from an accredited institution is required. Candidates who are currently pursuing an advanced information security certification (e.g. CISSP, CISM) are welcome to apply.
License/Certificate: Possession of a valid California Class C driver’s license and a safe driving record, or the ability to provide alternate transportation which is approved by the appointing authority.
ESSENTIAL DUTIES AND RESPONSIBILITIES:
Information Security is a highly dynamic and evolving area. The selected candidate will need to perform the duties as per the changing threat environment and/or changing business and compliance needs. Specific duties and responsibilities include, but are not limited to, the following:
Security Operations and Security Architecture:
- Coordinate with the current managed security services vendor for all security operations needs, including the enhancements, portal configurations, integrations and incident response in a changing IT and business environment.
- Responsible for the end point security, and coordinate with internal IT groups and end point security vendor to ensure the optimum level of protection all the time.
- Coordinate with the managed security services vendor for the incident response.
- Assist IT and Business groups to document and analyze the security requirements of new projects or system upgrades, and accordingly propose the security architecture, tools, and solutions to mitigate the risk.
- Ensure the proper functioning of the managed security service, logging, monitoring, and integration for managed security operations control center (SOC).
Information Security Program Management:
- Assist Information Security Officer to maintain and align information security policies, incident response plan and related documents and processes.
- Assist business groups to provide support for the PCI compliance audit and related processes.
- Coordinate with the managed services vendor for Program Management activities. (e.g., for 3rd party SOC report reviews, penetration testing and tabletop exercises at a regular cadence).
- Own the Information Security Awareness Training delivery process, the training portal, and its configurations.
- Assist Information Security officer for other Information Security Program management duties, including delivering special training to staff, and to function as a delegated point of contact to represent Information Security function.
Threat and Vulnerability Management:
- Enhance the vulnerability management processes and build new capabilities.
- Coordinate with internal IT groups to ensure the appropriate level of patching at a regular cadence, and coordinate for emergency patches.
- Communicate with business and IT groups effectively and timely on the emerging and zero-day threats and malwares as applicable to MTC’s business.
Application and Software Development Security:
- Work with the software development groups across the agency to build new capabilities in secure software development based on shift-left principle for security.
- Analyze, document, and regulate the use of open-source software to ensure the use of authentic open-source code and secure the code repositories.
- Develop a knowledge base for the agency on application security and establish the processes following industry standards and controls (e.g. OWASP or CIS Critical Security Controls).
Training and Certifications:
- Obtain ongoing training and keep current with the threat landscape
- Achieve an industry recognized vendor agnostic information security certification within a year of appointment and maintain it throughout employment.
HYBRID WORK – Employees may need to be in the office for some assignments/tasks that can only be done onsite or at a designated MTC work assignment location. This position is primarily remote. However, in-person attendance on-site will be as needed or assigned.