Infrastructure Security Analyst

PHEAA is a nonprofit student aid organization that holds a mission of providing affordable access to higher education.

Give back tomorrow by joining us today!

Salary: Grade 16

Location: Harrisburg, PA Hybrid work schedule Monday - Friday 8:00 AM -4:30PM

Department: Vulnerability Management

JOB PURPOSE AND SUMMARY

The Infrastructure Security Analyst performs as a lead to analyze, support, record, and report Infrastructure-related vulnerabilities. This role also handles compliance, identifies risk assessments, and maintains hardware asset inventory, including the Federal System Boundary Document.

PRIMARY DUTIES AND RESPONSIBILITIES

Vulnerability Management

• Identify security issues and provide security solutions and guidance across Information Technology (IT) teams and technologies (Cisco, Windows, Linux, AWS, F5, Mainframe, AIX, SAN, VMWare, Checkpoint Firewall, etc.) to ensure/maintain NIST 800-53, FFIEC, FISMA contracts (FSA, GA, PHCS) vulnerability management, penetration testing and compliance with associated agency-related risks.
• Propose technical responses, interpretation of, and security response strategies for Compliance/Governance Management.
• Analyze data, develop reporting, identify, and interpret data and communicate Vulnerability/Compliance and Risk Assessments for executive leadership weekly, at a minimum, and on-demand in the event of a vulnerability incident.
• Monitor, manage, and drive compliance for Hardware Asset Inventory.
• Assist with ensuring Digital Technology Solutions (DTS) can differentiate assets internal/external, federal/commercial, and other key differentiation fields. Analyze associated data to develop and maintain quarterly inventory lists as needed to meet PHEAA’s compliance or policy standards.
• Evaluate internal controls and policies for potential areas of weakness, recommend and craft control and policy updates to bring effective, positive changes to reduce the risk of audit findings, legal or regulatory sanctions, possible financial loss, and/or damage to the Agency's reputation.
• Support and help coordinate as well as advise on execution of internal security implementations for Federal Binding Operational Agreements and Enterprise Security Office (ESO) security directives.
• Provide guidance and recommendations to Enterprise Security Office (ESO) department for Nessus scanning and configuration needs.
• Assist in building and maintaining roadmaps, and with the development of the Vulnerability Management Workflow for Digital Technology Solutions (DTS).

OTHER DUTIES AND RESPONSIBILITIES Other

• Participate and contribute (provide written and verbal responses) during/for external and internal audit reviews, and/or complex compliance inquiries, including federal audits.
• Other duties as assigned.

Bachelor’s degree in computer science and five plus years of experience in IT Operations and/or Compliance on an enterprise scale or any equivalent combination of skills, experience and/or certification.

• Proficient at performing Vulnerability Management and compliance assessments of PHEAA’s environment/systems, utilizing tools; ex. Nessus/Tenable.SC, Nipper, Qualys, AWS tools (such as Dome9, AWS Macie, AWS Security Hub, etc.), NIST, CISA, CVE/MITRE cybersecurity directory, reviewing software vendor documentation, and driving STIG and CIS Benchmark requirements/compliance.
• Experience as a network engineering generalist (Cisco Certified Networking Associate (CCNA), CompTIA Network).
• Understands basic network connectivity, engineering best practices and networking and network security principles (OSI Model, TCP/IP, FTP, TLS, Routing, Switching, Firewalls, Access Lists, Load Balancers, DNS, IP Subnetting, VLANs and Network segmentation etc).
• Experience as a systems administrator with experience both as a Windows Administrator (Microsoft Certified System Administrator – MCSA) and Linux (ex. Linux CompTIA).
• General project management and leadership skills to drive initiatives to conclusion and direct teams to complete necessary compliance and vulnerability work without any direct authority (ex. Project Management Professional (PMP), Certified Scrum Master (CSM), or Certified Associate Project Manager (CAPM)
• Demonstrate strong understanding of the PHEAA Digital Technology Solutions application, infrastructure, and network architecture/implementation in order to make proper security recommendations and assess residual risk of each environment.
• Demonstrate strong decision-making, interpersonal, negotiating, and problem-solving skills.
• Experience with vulnerability management tools, such as Nessus/Tenable.SC, Qualys, Dome9, etc.
• Proficient with MS Office Products, with high expertise in Excel and experience developing SharePoint databases and SharePoint Workflow Automation.

Preferred: experience with or strong understanding of Mainframe and DB2 Technologies as a generalist including CIS benchmark and STIG compliance implementations for Mainframe and DB2 as well as RACF. Understanding of Security Best Practices. (ex. Security CompTIA certification and/or CISSP). Understanding of enterprise logging, monitoring and alerting tools and the interpretation of data including but not limited to Splunk, LogRhythm, Broadcom APM, AppDynamics, Pingdom, SiteScope, etc. Experience with scripting languages, such as Python, Bash, Perl, etc.

ESSENTIAL DUTIES AND RESPONSIBILITIES

PHYSICAL REQUIREMENTS AND WORK ENVIRONMENT

• Provide 24/7 support as needed.
• Perform work required for this position in an office environment.
• Remain sedentary for significant periods of time.
• Must be able to use a personal computer.

ADDITIONAL KNOWLEDGE, SKILLS, AND ABILITIES

• Ability to effectively communicate technical concepts to non-technical audiences and business/security concepts to technical audiences.
• Highly developed problem-solving skills and the ability to focus attention on detail.
• Demonstrated analytical, critical thinking, and organizational skills.
• Ability to work accurately, efficiently, and concentrate for long periods of time in a detailed environment.
• Strong written and verbal communication skills.
• Ability to work effectively in a team environment.

Ability to promote and support a consistent, professional, customer focus

Conditions of Employment

• This position will support a federal government contract. Applicants must be able to obtain Public Trust security clearance as required of federal government contractors to include a background check conducted by the U.S. Government to determine eligibility and suitability for federal contract employment for public trust or sensitive positions. For this level of clearance, the federal government requires applicants to possess U.S. citizenship. Considering this federal government requirement, PHEAA will be unable to hire applicants without United States citizenship for such positions.

PHEAA’s environment welcomes and supports our employees, customers, and stakeholders; we seek out and value differing perspectives and contributions. Our organizational culture promotes diversity, equity, and inclusion at all levels of the organization.

Bachelor’s degree in computer science and five plus years of experience in IT Operations and/or Compliance on an enterprise scale or any equivalent combination of skills, experience and/or certification.