Information Security Analyst III

Position Summary:  Delivers complex solutions to meet the company’s information security objective.  The solutions will include one or more of the following; network, platform and user access policies, standards and configurations, identity, content and vulnerability management, encryption, network and host-based intrusion detection and prevention, physical, social engineering, incident response (CIRT), public key infrastructure, application level security, Sarbanes-Oxley compliance (404,302,409), User provisioning and others as they mature in the industry.

Dimensions of the Position:  Position Reports Directly to: Information Security Project Manager

Essential Functions and Responsibilities:  Depending on the specific position requirements, the Analyst must have experience with one or more of the following; Planning, Architecture, Operations, Monitoring

Planning

Management for Information Security Initiatives, programs and projects    

• Provides program and/or project management for the Information Security Group.
• Helps with the development of the overall Information Security program budget.
• Develops plans for the assessment and implementation of new elements of the security program, vendor selection, and contract management for information security software, systems, and services.

Information Security, BCP and Risk Management  policies, procedures, and standards development

• Develops and maintains security policies, procedures, and standards documentation.
• Manages exception process (waiver) for policies and standards.
• Recommends policy changes to the Information Security Management Committee.

Information Security training and support to information technology personnel        

• May provide training and support to Lowe’s IT personnel regarding Information Security best practices, industry or regulatory issues, and Information Security technologies.

Security risk analysis       

• Defines scope of Information Security risk analysis.
• Identifies environment assets for review.
• Evaluates the importance of assets within company’s operation.
• Identifies asset threats, vulnerabilities, and compensating controls.
• Develops a risk profile for the assessed environment.
• Develops a risk reduction plan for the environment.

Architecture

Information Security Technology Platform Development   

• Provides architectural recommendations for the configuration, implementation and maintenance of:
• Vulnerability/Scanning and hacking/attack tools
• Forensics/collaboration/management platforms
• User access authentication and administration

Information Security Technology Consultation       

Provides consultation services to the appropriate engineering units who configure, implement and maintain:

• Firewalls
• Intrusion detection systems
• Internally/Externally accessed computing platforms

Technical security configuration standards development and maintenance

• Coordinates development of technical security configuration standards for applications and operating systems.
• Updates technical security standards when patches and upgrades are released.

Information security technology solutions research             

• Researches and develops new Information Security technology solutions for Lowe’s.
• Ensures Information Security requirements are integrated in the overall Lowe’s systems architecture. 
• Assesses security patches and upgrades of existing applications and operating systems within Lowe’s. 

External Access 

• Helps management to ensure Information Security requirements are integrated in the overall Lowe’s systems architecture.
• Technical project management for the information security projects            
• Provides technical project management for the Information Security Group.
• Develops the technical scope of Information Security programs and projects
• Provides technical evaluation in RFI and RFP processes.
• Provides security consulting services to business areas and other functional groups including technical assessment of exception requests (waivers) and project level support
• Provides consulting services to IT employees that are defining information security strategies and solutions for business and MIS initiatives and operations
• Helps define BCP strategies and plans
• Provides ad hoc support to committees and working groups as required by the ISMC

Architectural standards and models for information security software, systems, and services             

• Supports the IT strategy and architecture through the development of the Information Security elements of the overall architecture.

Operations

Information Security Technology Operations         

Operates Information Security Services and/or technologies:

• Vulnerability Assessments (internal and external)
• Scanning and hacking/attack platforms
• Forensics/collaboration/management platforms
• User access authentication and administration
• Develops security intrusion and event monitoring solutions and an incident response process
• Implements emergency response, disaster recovery and crisis management procedures

Information Security Technology Support

Uses and/or assists with technologies to effectively support:

• Firewalls
• Intrusion detection systems

Information Security Technology Deployment       

• Oversees/provides advice for the deployment of technical Information Security standards for operating systems and applications.
• Assists, as needed, with the implementation of ‘”standard builds” for all existing/new systems to ensure minimum baseline security standards.
• Deploys security standards on security infrastructure devices operated by the Information Security Group.
• Ensures technical security standards are integrated into the Lowe’s change control process. 

User Access Management            

• Defines user account management and access control processes for all user ids and access profiles within Lowe’s
• Creates and maintains effective controls for user account management and access controls for all user ids and access profiles within Lowe’s.
• Manages external vendor/business partner access controls, including issue and revocation of digital certificates.
• Provides management reports on metrics established for the user account management process
• Helps the business develop and implement effective controls for consumer and employee privacy.

Vulnerability Management           

• Ensures technical Information Security standards are integrated into the Lowe’s change control processes.
• Identifies Information Security threats to current technologies
• Monitors vulnerability tracking services for new alerts.
• Notifies administrators of new vulnerabilities and coordinates the distribution of vulnerability patches.
• Maintains asset inventory of the technology environment to aid in determining vulnerability status.
• Manages the deployment of technical security standards for operating systems and applications
• Performs Operations and Maintenance of Security products and systems

Monitoring

Information Security Investigation             

• Performs technical investigation and forensic analysis to support investigation of Information Security incidents.
• Tracks all Information Security incidents that involve misuse of Lowe’s information assets or that affect information security and compliance.

Information Security Incidence Response

• Manages the incident response process and notification procedures for Lowe’s.
• Tracks all security-related incidents.

Information Security Monitoring of Operational Systems   

• Validates day-to-day monitoring of systems is being performed by administrators and other assigned personnel as the first line of defense in detecting malicious activity or unintended breaches or loss of system availability.
• Manages intrusion detection systems
• Periodically scans the technology environment to determine vulnerability status
• Reviews security logs of firewalls and other security infrastructure systems for any unauthorized or unrecognized activity
• Monitors Lowe’s networks and systems for information security-related events and incidents. 

System Information Security Audits           

• Performs periodic security review of the Lowe’s systems to ensure operational compliance with the policies and standards as related to operating systems, network and computing devices, and applications.  The audit of systems may be coordinated with Internal Audit in order to provide best use of resources.
• Performs periodic (e.g. daily, weekly) security scans of the technical environment to determine compliance with policy and standards and identify and track potential vulnerabilities

Compliance Reporting    

• Develops required management reports to demonstrate the effectiveness of controls and report any identified lapses. 

Required Qualifications:

Six years experience in the Information Technology Industry

Three years experience with the Information Security (per Sections I and III)

4 year college degree in related field or equivalent job experience.

Strong technical, analytical, interpersonal, communication and writing skills.

Strong verbal and written communication skills with ability to work in a team environment

Preferred Qualifications:

“Retail” experience in the Information Technology Industry

One or more of the following Certifications:

Certified Information Systems Security Professional (CISSP).

CPP certification from American Society for Industrial Security

GIAC Global Information Assurance Certification from SANS Institute

Cisco Certified Network Administrator (CCNA) or Cisco Certified Network Professional (CCNP)

Mainframe systems administration experience

Working knowledge of network security standards; frame relay, ATM, Sonet, gigabit-Ethernet and wireless