Vulnerability Management Analyst

The Vulnerability Management Analyst is responsible for managing the end-to-end vulnerability management lifecycle including detection, assessment, monitoring, and coordination of vulnerability treatment.

    Phoenix Park Gas Processors Limited                  

Position Identification

Job Summary

 TheVulnerability Management Analyst is responsible for managing the end-to-end vulnerability management lifecycle including detection, assessment, monitoring, and coordination of vulnerability treatment with the aim of reducing PPGPL’s cyber vulnerability risk. The Vulnerability Management Analyst works closely with various Technology Teams and internal stakeholders to ensure systems, endpoints and networks are baselined, deployed, and managed with an emphasis on strong, effective security controls and configurations. Reports to Supervisor Technology with day-to-day activities coordinated by Team Lead Infrastructure Services (TLIS). Interfaces with Cybersecurity Lead, Application Support and Users for Testing and Troubleshooting. The position is also required to provide related support to the group of companies, its subsidiaries and new business ventures as required.

 Dimensions

A critical service in support of the success of PPGPL’s strategy is ensuring that cybersecurity vulnerabilities that impact PPGPL’s cyber vulnerability risk are remediated in a timely manner and a way that minimizes impacts to productivity and safeguards PPGPL’s Technology Infrastructure and Information Assets.  The incumbent is required to analyze and understand PPGPL’s infrastructure, operating environment, technological environment, technology strategy, contribute to the operationalization of PPGPL’s cybersecurity strategy in the context of the effective detection and remediation of cybersecurity vulnerabilities within the technology infrastructure of the organization.

The position operates under general guidance and direction and is expected to be proactive in meeting organizational demands in a manner that constantly adds value to the organization. The position of Vulnerability Management Analyst has a strong business analyst dimension, systems maintenance and support dimension and must evidence a high level of interpersonal skills. He/she must operate within clearly prescribed rules, regulations and Internal controls and is bounded by clear performance expectations. The position operates under general guidance and direction, but is expected to demonstrate leadership, initiative and respond to work demands almost immediately. The incumbent interfaces with all levels of the organization.

 Individual’s Safety Responsibility:

It is the responsibility of each employee to protect oneself as well as fellow workers from injury. Work shall be conducted according to established safe practices and procedures. Please refer to PPGPL’s Safety Manual.

 Nature & Scope

Risk Assessment: The analyst must analyze the vulnerability scan results to determine the level of risk posed by each vulnerability.

Remediation: The analyst must develop and implement remediation plans to address identified vulnerabilities. Remediations are implemented and guided by PPGPL Technology change management policies and procedures, with an aim to reduce impact to employee productivity and cyber risk.

Communication: The analyst must communicate with various stakeholders including IT teams, business units, end users and management to provide updates on vulnerability management activities such as testing and troubleshooting of issues resulting from remediation activities.

Compliance: The analyst must ensure that all vulnerability management activities are following PPGPL standards and company policies, resulting in systems which comply to established security and configuration baselines.

Reporting: The analyst must prepare regular reports on vulnerability management activities and share them with relevant stakeholders.

Contacts: Internally communicates with all levels of the Organization including senior leaders, middle level management as well as externally with, consultants for project execution, system support, vendor, NGC Group subject matter experts and subsidiary company subject matter experts in the furtherance of building Business Intelligence Solutions.

Decision-Making Authority: The incumbent is expected to be self-directed in responding to internal client requests. Ensuring that activities are in alignment with company policies. The position has no financial approval authority but is responsible for managing the budgets within limits for areas under his/her responsibility.

Physical and Sensory Demands: Moderate sensory demands typical of a technical position, operating within a busy customer focused office environment with constant interruptions and competing.

Duties & Responsibilities

1. Investigate vulnerability findings present within the environment and coordinate remediation efforts in collaboration with other IT teams and subject matter experts.
2. Monitor and maintain awareness of critical vulnerabilities, remediating them through, group policies, Intune, MDM Policies, patch management, firewall policies, configurations in PPGPL’s existing security systems, implementing new security systems or by following mitigating processes to reduce impact.
3. Validate vulnerability management changes for accuracy and completion to drive timely remediation of critical vulnerabilities.
4. Troubleshoot system issues, discover, verify, test and report business impacts related to vulnerability management changes.
5. Implement, upgrade and maintain endpoint, network and perimeter cybersecurity systems throughout its lifecycle.
6. Collaborate with IT staff to ensure defined security and configuration baselines are being applied.
7. Create and maintain inventory reports and alerts using inventory, vulnerability, and patch management systems.
8. Provide status reports to leadership related to vulnerability management metrics, key risk indicators, trending risks, compliance, etc.
9. Initiate automation projects to minimize manual remediation processes in Technology operations.
10. Follow established processes to ensure compliance with policies. Report all suspicious activity or non-compliance to management.
11. Monitor and respond to security inquiries, requests, and incidents as part of PPGPL’s cybersecurity security operations center (SOC) to support the business through sound and timely cybersecurity response.
12. Assess new and existing technologies to determine potential value and risk to the enterprise and ensure risk beyond defined thresholds is appropriately treated.
13. Collaborate with IT staff to continually improve the success rate of vulnerability management activities.
14. Assist in continual design, implementation, and operationalization of security operations lifecycle to continually mature the security posture of PPGPL’s business environment and SIEM reporting.
15. Participate in the development and maintenance of the organization's disaster recovery and business continuity plans.
16. Participate in other special projects or strategic initiatives at the direction of Management in the furtherance of managing Technology, Data, and Information risk.
17. Project Leader and Implementor for Technology Projects.
18. Promote adherence of PPGPL Technology Policies.
19. Liaising with outside consultants, vendors and contractors to provide support, solutions and repairs and implementing\overseeing such solutions and repairs.
20.  Other duties as required to meet the needs of the business.
21. Leading and/or participating in committees and cross-functional teams in accordance with roles and duties identified as per workplans and/or team charters. 

 Job Specifications

Minimum Acceptable Academic Qualifications

• Bachelors Degree in Computer Science; Information Technology; Information Systems or Cybersecurity or related degree qualification from an accredited tertiary institution.

• Any one of the following Technical Security Certifications:
  • Microsoft Certified: Cybersecurity Architect Expert
  •  Microsoft 365 Certified: Security Administrator Associate (MS-500)
  • Microsoft Certified: Security Operations Analyst Associate
  • Microsoft Certified: Azure Security Engineer Associate

AND

Minimum Number of Years of Relevant Experience

• At least seven (7) years related work experience with two (2) years’ focused experience in information security, vulnerability analysis, or risk management.
• Experience managing Information Technology vulnerability management processes, remediation, and infrastructure server patching guidance while understanding business impact.
• Experience deploying and configuring enterprise-class technologies such as Microsoft Cloud Technologies (Azure and 365), vulnerability scanners, asset inventory systems, Configuation Management Database (CMDBs), firewalls, routers, switches, wireless access points, Virtual Private Network (VPNs), desktop, and server operating systems, Web Application Firewall (WAF), Data Loss Prevention (DLP), End Point Detection & Response (EDR), web gateways, and physical security.

Specific Skills and Knowledge

• Excellent teamworking skills for collaboration

• Presentation and influencing skills.
• Strong written, oral, and interpersonal skills
• Strong Troubleshooting skills
• Strong data analysis and project management skills
• Experience working and collaborating effectively with various stakeholders.
• Experience monitoring and evaluating technology processes and controls.
• Experience creating and maintaining high-quality documentation.
• Ability to resolve critical problems and identify risks.
• Adaptability to shifting priorities and timelines.
• Effective prioritization and task execution in high-pressure environments
• Willingness to learn and apply new technologies.
• Motivation to increase resource efficiency and energy conservation.
• Consideration for environmental impact in task execution

Disclaimer

“The above statements are intended to describe the general nature and level of work being performed by people assigned to this job. They are not intended to be an exhaustive list of all responsibilities, duties and skills required of personnel so classified.”