Cyber – Information Security Analyst – Bournemouth
UNITED KINGDOM Infra / Networks / Telecom
Job description
About JPMorgan Chase
J.P. Morgan is a leader in financial services, offering innovative and intelligent solutions to clients in more than 100 countries with one of the most comprehensive global product platforms available. We have been helping our clients to do business and manage their wealth for more than 200 years and we keep their interests foremost in our minds at all times. This combination of product strength, intellectual capital and character sets us apart as an industry leader. J.P. Morgan is part of JPMorgan Chase & Co. (NYSE: JPM), a global financial services firm with assets of $2.0 trillion.
Continual enhancement of the confidentiality, integrity and availability of data and systems through a robust information security agenda is a key strategic objective of JP Morgan Chase and of the Corporate and Investment Banking (CIB) group. The Corporate & Investment Bank (CIB) Business Information Security Office (BISO) is closely aligned with the firm-wide agendas of JPMorgan's Corporate Cybersecurity and Global Identity and Access Management groups; both providing the requirements of CIB and ensuring execution of firm wide initiatives at the CIB level. An array of information security initiatives are planned over the next 3 years, ranging from risk controls framework enhancement to Information and Cyber Security to Identity & Access Management. Strong information security capability is required to support this objective
The Role
The CIB BISO is seeking an experienced Information Security Analyst for the Cyber Security function. This is an excellent opportunity to be part of a first class business aligned information security office in a leading financial services provider.
The successful candidate will work closely with the broader cyber security, controls and production management teams in information security areas including cyber security assessment, risk analysis, privacy, data protection, application security and vulnerability management to assess and protect information systems, applications and data globally. Candidate is expected to participate in or lead security activities and programs including but not limited to security training, policy and standards review and implementation, secure development lifecycle, threat modeling and analysis, control assessments, security scans, vulnerability remediation and software security assurance. The candidate will be required to work collaboratively with stakeholders within the line of business and the corporate organization, provide counsel and best practices in identifying and resolving complex datasets and cyber security issues of a technical nature. Candidate must stay abreast of the current financial industry, cyber discipline and information technology changes to deliver strong subject matter expertise.
Responsibilities
· Subject matter expert to assist in application security assessment through the use of automated scanning tools and manual source code auditing techniques to identify and verify exposure to common security vulnerabilities and provide remediation guidance.
· Contribute to the development and implementation of application security policies, standards, procedures, and guidelines.
· Assist business-aligned cyber risk managers to promote risk awareness and compliance, in line with established IT Control policies, processes and procedures.
· Support the development, implementation and management of secure software life cycle processes that will assist the application development teams in integrating security requirements within their applications and databases.
· Participate and contribute in programs driving adoption of corporate cyber security framework and requirements within the line of business and liaising closely with Stakeholders to drive the program forward.
· Coordinate relevant IT security and risk activities (e.g., Regulatory, risk assessment, control testing, monitoring, vulnerability management, risk reporting) and management of any identified gaps and issues.
· Participate in or lead programs to identify, detect and improve or remediate the control environment and partner with cyber risk managers and technology teams to improve the overall risk posture across the technology environment.
· Perform information security and cyber assessments involving modelling of threats to the application, data or assets, creating and analyzing cyber-attack scenarios, evaluating control effectiveness, identifying security gaps and vulnerabilities, and providing remediation guidance to development teams.
· Interface and maintain a strong and collaborative working relationship with line of business (cyber risk management, technology control officers, application developers etc) and corporate cyber security (program management, vulnerability management, policy and standard owners etc) stakeholders
· Partner with internal LOB and corporate project managers on the implementation of security related projects for new and enhanced technology.
· Responsible for the implementation of strategic and tactical technology initiatives related to new or enhanced security products and toolsets
· Provide technical guidance to management, technology team, risk managers and broader stakeholders in the lines of business relating to information security controls and implementation
Desired profile
Qualifications
· The successful candidate will have experience in information security and risk management or equivalent
· Exposure to information security principles and relevant standards including Access Management, Change Management, Security Incidents and Business Continuity Management
· Able to identify, develop and maintain key information security risk and operations processes
· An understanding of secure software development life cycle (knowledge of SAMM, BSIMM and cyber frameworks (NIST) useful)
· Working knowledge of application assessment, application security vulnerabilities, code review methodologies, and secure coding practices
· Exposure to information security vulnerability concepts, issues and mitigation methods
· Understanding of OWASP security concepts and common vulnerability types / threat vectors, such as XSS, SQL Injection, Cookie Manipulation, Path Traversal etc.. Understanding of hashing and cryptographic techniques beneficial.
· Working knowledge of application and data security in a multi-platform environment (e.g., UNIX/ LINUX, Mainframe, Windows/ LDAP, Oracle, Sybase, MSSQL, Android, iOS).
· Exposure to automated application security-related tools such as AppScan, Fortify, QualysGuard and other commercial and open source tools
· Working knowledge of software penetration testing, code review, architectural risk assessment, and taint analysis / data-flow analysis (static scanning).
· Exposure to manual assessment tools such as HTTP Proxies, browser plug-ins, automation scripts etc.
· Information security certifications such as CISSP, CSSLP, CEH/CPT or related certifications would be an advantage.