Information Security Penetration Tester

The Information Security Penetration Tester will be responsible for WPCU's Vulnerability and Penetration Testing program. They are primarily tasked with maintaining and maturing existing tools and processes that align with WPCU's size and complexity. This position is expected to coordinate with technical owners of various skill levels that range from business units and vendors to Information Technology. They will also develop reports with commensurate levels of details to properly communicate program status to various levels of management and will include traveling to various locations within WPCU's facilities footprint. 1) Penetration Testing and Vulnerability Management (40%) a) Responsible for managing vendor provided vulnerability and penetration testing. This includes ensuring PCI-ASV services are properly scoped, conducted, and addressed in accordance with PCI-DSS standards. b) Conduct additional hands-on vulnerability and penetration testing across internal attack surfaces (wired and wireless) and external environments. c) Collaborate with applicable business units or technical leads to validate vulnerabilities, determine risk, and provide appropriate remediation options. d) Collaborating with project teams and User Acceptance Testing to ensure new systems are integrated into scanning tools, scans are conducted, and issues are properly escalated with the project management team. e) Ensure vulnerability and penetration testing includes executive level summaries that address internal and external audit requirements. 2) Hardening (30%) a) Collaborate with project teams to identify when new hardening requirements are required, determining those standards, and integrating them with the project. b) Assess existing hardening methodology, identifying misconfigurations, and reporting overall control effectiveness on a regular basis for all applicable systems. c) Responsible for reviewing existing hardening standards annually, updating standards, communicating changes to appropriate technical owners, and tracking completion. 3) Vendor Management (10%) a) Primary technical contact for assigned vendors. This includes performance application administration responsibilities such as user provisioning and deprovisioning. b) Responsible for evaluating vendors to ensure they meet current industry standards and providing recommendations to the Information Security Manager and VP, Information Security for maturing the program. 4) Threat Intelligence (10%) a) Collect and analyze threat intelligence feeds from applicable threat sources. Responsible for escalating actionable alerts internally to Information Security leadership, and to appropriate Information Technology teams to ensure they are properly dispositioned. b) Formalize and maintain the tracking of threat intelligence events including corrective actions and resolution time. c) Responsible for providing monthly reporting to VP Information Security. 5) Security Awareness (10%) a) Collaborate with other Information Security team members to create appropriate required training materials and support enterprise-wide opportunities such as National Cyber Security Awareness Month. b) Ensures proper policies, procedures, risk mitigation activities, and operating controls are followed. Reports gaps in policies, procedures, and operating controls to leadership to ensure member impact and risk is mitigated.