JOB PURPOSE: The Security Architect Provides support and leadership into how the enterprise can implement policies and technologies that secure enterprise information and the access points by which enterprise information is obtained. Incumbent will work with Security, Risk and Compliance to ensure we have proper planning, implantation and testing processes to ensure security requirements are met. Individual will work with Information Management Security staff helping educate them on best practices and processes to apply. In addition, the Security Architect will work with internal and external development teams, project management leadership and the spend management organization to ensure that:
- Security best practices are followed in order to maintain the company’s stated security posture throughout all phases of the development lifecycle
- Security is adequately implemented and socialized among the internal and external development and Product Assurance teams
- Company assets are protected in a cost-efficient manner
- Perform risk assessments to identify, analyze, and quantify risks and vulnerabilities, systems, products and business processes as needed. Provide strategies for establishing and sustaining the security requirements of an information asset and identify protection goals and objectives consistent with the company’s strategy and business objectives. These assessments can take a multiple of formats including audits, vulnerability tests, self-assessment, industry comparisons, etc.
- Assist in the development and implementation of security procedures and measures to ensure that information security is tightly integrated into each phase of the relevant development and acquisition lifecycles and follows appropriate security policies
- In coordination with various departments, define, design and implement security goals and requirements for all development, pre-production, and SaaS/IaaS/PaaS systems, projects and processes including but not limited to: authentication, authorization, access control enforcements, transaction privacy, non-repudiation, intrusion detection and containment, audit proof of wholeness, secure state restoration, and protected communication by utilizing appropriate technologies such as firewalls, VPN, logs, intrusion detection, password policy enforcement, physical access controls, software controls, etc. and assure that the services requirements are continuously met during pre-production
- Assist in the sourcing, creation and/or provision of training and advisory programs for all relevant personnel to ensure that all members of various project, development and systems implementation/maintenance teams have the necessary knowledge to develop and maintain secure products
- Coordinate the security hand-off of all projects and releases as they are moved into production
- Perform security testing and test case development to ensure that security requirements are met before work is released to production.
- Develop and publish security and compliance metrics to accurately inform senior management as to project risks from an information security and regulatory compliance standpoint
- Produce security and risk reports as needed. Ensure that security issues and risks identified are properly documented, communicated, escalated and resolved.
- Maintain relationships with vendors, consultants, and appropriate agencies to ensure optimum service levels and that the new systems are in full compliance with statutory and regulatory requirements
- Other tasks as required by Rent-A-Center management or business needs
- Bachelor’s degree in related field required.
- Minimum 5 years information security experience, with specific experience in secure software development practices required.
- Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Systems Security Manager (CISSM), or similar certification preferred.
- Minimum of 2 years hands-on experience with AWS security best practices and AWS services to design and develop cloud security architectures and perform architecture design reviews
- Demonstrated experience evaluating and/or providing recommendations to address deficiencies within Network Security, Network Hardware Configuration, Network Protocols, Networking Standards and Information Security Policies
- Knowledge of software vulnerabilities (OWASP Top Ten, CWE/SANS Top 25, etc.) and means of defeating/preventing them
- Solid understanding of information technology and information security practices and controls including but not limited to: encryption, network security, data protection, authentication, authorization, logical and physical segmentation, and incident logging.
- Experience with information and personal privacy issues, copyright and software piracy law and IT audit and control issues
- Experience and familiarity with control and security frameworks such as COSO, COBiT, and ISO 27002
- Knowledge of a variety of regulations including, but not limited to, the Sarbanes-Oxley Act of 2002, PCI-DSS 2.0, the Graham-Leach-Bliley Act, HIPAA, FACTA and FACTA “Red Flags” provisions, US state privacy laws
- Must be articulate and persuasive with the ability to communicate security-related concepts to a broad range of technical and non-technical staff; both written and oral