Do you like to identify and implement missing key security program elements? Have you worked on security policies, procedures, guidelines, procedures, controls, trainings, metrics and technologies? Do you like to run vulnerability/penetration tests/gap assessments, and review and audit application/database logs? If so, come join the 23andMe team.
dentify and implement missing key security program elements that may include security policies, procedures, guidelines, procedures, controls, trainings, metrics and technologies.
Run vulnerability/penetration tests/gap assessments.
Review and audit application/database logs and respond to alerts.
Manage and coordinate with the VP of Engineering and Chief Security Officer incident response and mitigation plans to address cause(s).
Secure software design—translating security requirements into application design elements
Secure software implementation/coding—work with QA to implement unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
Software acceptance—security implication in the software acceptance phase
Software Deployment, Operations, Maintenance and Disposal—security issues around steady state operations and management of software
In conjunction with the VP of Engineering and Chief Security Officer, serve as 23andMe’s security point person on Infrastructure and Application Development security issues.
Assist with internal security audits
Work with external audit entities to ensure compliance.
Review responses to client security questionnaires and RFPs.
Advise Engineering and IT leadership concerning technology architecture, and configuration of IT infrastructure and applications to improve security.
Research business and technical requirements and evaluate vendor products and services.
Perform related duties as requested or assigned.
Extensive experience implementing/deploying security initiatives and systems that partner with other IT areas and business units.
Expert knowledge of Web Application security (OWASP, black/whitebox testing of web applications, application firewalls, fuzzing).
Experience with Encryption, Two-Factor Authentication, Integrity Monitoring, Log Management and intelligence, Penetration/Vulnerability testing and other common security technologies.
Extensive experience with broad inter-disciplinary skills; systems, networks, security, application development using LAMP stack.
Experience developing Business Continuity/Disaster Recovery plans.
Understanding of and experience with HIPAA, HITECH Act, Sarbanes-Oxley, PCI, CA SB-1386, and CA SB-24 requirements.
Experience developing corporate policies, crisis management, performing technical and documentation audits.
Knowledge of and demonstrated experience with variety of network, host, database and other monitoring tools.
Knowledge of and demonstrated experience with the layers of the ISO stack, TCP/IP, Encryption technology, PKI, VPN, IPSec, and SSL.
Strong understanding of the core principles of confidentiality, integrity and availability.
Ability to successfully plan, organize and prioritize projects, work on multiple tasks simultaneously.
Demonstrated success working independently in a fast paced environment against changing priorities.
Deep understanding of core security technologies such as vulnerability assessment, intrusion detection/prevention, auditing principles, secure software development life cycle, application/code vulnerability and penetration technologies, host and network security.
Windows, OSX and Unix security knowledge and experience.
General working knowledge of networking technologies (LAN, WAN, etc).
Knowledge of security standards (ISO-17799/27001).
Bachelors degree in computing, business, or equivalent combination of training and experience.
8+ years experience in an information security role.
Certified Information Systems Security Professional (CISSP) required.
Certified Information Systems Auditor (CISA) strongly preferred.
Other certifications strongly preferred (CSSLP, CIPP/IT, GIAC, Security+, CISM, CGEIT, CRISC).