Metropolitan Transportation Commission – Information Security Analyst

The Information Security Analyst position will be filled at the Associate level and is under the direction of MTC’s Information Security Officer in the Technology Services Section.  This position will provide hands-on technical and project management support for various components of the Information Security Program. This role will provide exposure to many areas of information security functions in addition to the focus area of information security operations.  The Information Security Analyst will perform other job-related tasks and duties as need or assigned by the TSS Section.

HYBRID WORK – Employees may need to be in the office for some assignments/tasks that can only be done onsite or at a designated MTC work assignment location.  This position is primarily remote.  However, in-person attendance on-site will be as needed or assigned.

ESSENTIAL DUTIES AND RESPONSIBILITIES

Information Security is a highly dynamic and evolving area. The selected candidate will need to perform the duties as per the changing threat environment and/or changing business and compliance needs. Specific duties and responsibilities include, but are not limited to, the following:

Security Operations and Security Architecture

• Coordinate with the current managed security services vendor for all security operations needs, including the enhancements, portal configurations, integrations and incident response in a changing IT and business environment.
• Responsible for the end point security, and coordinate with internal IT groups and end point security vendor to ensure the optimum level of protection all the time.
• Coordinate with the managed security services vendor for the incident response.
• Assist IT and Business groups to document and analyze the security requirements of new projects or system upgrades, and accordingly propose the security architecture, tools, and solutions to mitigate the risk.
• Ensure the proper functioning of the managed security service, logging, monitoring, and integration for managed security operations control center (SOC).

Information Security Program Management

• Assist Information Security Officer to maintain and align information security policies, incident response plan and related documents and processes.
• Assist business groups to provide support for the PCI compliance audit and related processes.
• Coordinate with the managed services vendor for Program Management activities. (e.g., for 3rd party SOC report reviews, penetration testing and tabletop exercises at a regular cadence).
• Own the Information Security Awareness Training delivery process, the training portal, and its configurations.
• Assist Information Security officer for other Information Security Program management duties, including delivering special training to staff, and to function as a delegated point of contact to represent Information Security function.

Threat and Vulnerability Management

• Enhance the vulnerability management processes and build new capabilities.
• Coordinate with internal IT groups to ensure the appropriate level of patching at a regular cadence, and coordinate for emergency patches.
• Communicate with business and IT groups effectively and timely on the emerging and zero-day threats and malwares as applicable to MTC’s business.

Application and Software Development Security

• Work with the software development groups across the agency to build new capabilities in secure software development based on shift-left principle for security.
• Analyze, document, and regulate the use of open-source software to ensure the use of authentic open-source code and secure the code repositories.
• Develop a knowledge base for the agency on application security and establish the processes following industry standards and controls (e.g. OWASP or CIS Critical Security Controls).

Training and Certifications

• Obtain ongoing training and keep current with the threat landscape
• Achieve an industry recognized vendor agnostic information security certification within a year of appointment and maintain it throughout employment.