This job has closed.

Hawaiian Electric · 1 month ago

Senior Information Assurance Analyst - Oahu

Hawaii, United States

Full-time

Onsite

Mid, Senior Level

$108K/yr - $140K/yr

7+ years exp

Hawaiian Electric is a leading provider of electricity and services in Hawaii, committed to community and employee needs. The Senior Information Assurance Analyst role involves overseeing cybersecurity assessments, developing security policies, and ensuring compliance with cybersecurity standards.

Clean EnergyEnergyEnergy Efficiency

Responsibilities

Performs cybersecurity assessments and provides security control requirements for IT and OT projects, including externally hosted applications and grid technology projects

Develops and manages programs and processes for privacy, e-discovery, security awareness training, digital forensics, patch management, vulnerability remediation, and other security and compliance programs

Supports detailed review and approval processing for various policies, processes, and procedures necessary to support the Company’s cybersecurity security and compliance requirements

Ensures that adequate and proper internal controls, processes, practices, and standards are developed, maintained, and tested in order to meet the Company’s policy and compliance requirements

Supports the business continuity planning, disaster recovery planning, and the Company’s Cybersecurity Incident Management Team (CS-IMT), with occasional on-call support

Participates in Company emergency response activities as assigned, including any activities required to prepare for such emergency response

Qualification

Cybersecurity principlesRisk management processesNetwork security methodologiesPenetration testingCryptography conceptsData backupRecoveryVulnerability remediationSecurity complianceAnalytical skillsEffective communicationTeam collaborationCritical thinking

Required

Advanced (7-10 years) analysis and/or leadership experience in a multi-level service or consulting organization, preferably in an information technology, application security, network security or quality assurance capacity. Information security experience is required

One or more of the following certifications (others will be considered): Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), GIAC Security Leadership (GSLC), Certified Cloud Security Professional (CCSP), Security +, Systems Security Certified Professional (SSCP)

Computer networking concepts and protocols, and network security methodologies

Risk management processes (e.g., methods for assessing and mitigating risk)

Cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation)

Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy

Cyber threats and vulnerabilities

Cryptography and cryptographic key management concepts

Data backup and recovery concepts

Host/network access control mechanisms (e.g., access control list, capabilities list)

Network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML)

Traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL])

Programming language structures and logic

System and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code)

Network attacks and a network attack's relationship to both threats and vulnerabilities

System administration, network, and operating system hardening techniques

Different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks)

Different cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored)

Different cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.)

Network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth)

Specific operational impacts of cybersecurity lapses

Security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model)

Ethical hacking principles and techniques

Penetration testing principles, tools, and techniques

Conceptual knowledge of National Institute and Standards and Technology (NIST) Standards, ISO 27000 series, OWASP, and other security related frameworks and standards

Conceptual knowledge of utility business and related Operational Technology Systems (SCADA, DCS)

Conducting vulnerability scans and recognizing vulnerabilities in security systems

Assessing the robustness of security systems and designs

Detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort)

Mimicking threat behaviors

Use of penetration testing tools and techniques

Use of social engineering techniques (e.g., phishing, baiting, tailgating, etc.)

Use of network analysis tools to identify vulnerabilities (e.g., fuzzing, nmap, etc.)

Reviewing logs to identify evidence of past intrusions

Conducting application vulnerability assessments

Performing impact/risk assessments

Developing insights about the context of an organization's threat environment

Collaborating with teammates and other employees

Communicating effectively in writing and verbally

Proven ability to analyze highly complex systems, demonstrating critical thinking skills, independent judgment, and the ability to work toward consensus in a complex business environment

Must demonstrate analytical skills and the ability to communicate effectively (oral and written) and work with a variety of individuals throughout the organization including managers and executives

Ability to operate autonomously with only general direction and guidance