Information Security Penetration Tester

• Cincinnati, Ohio
• Columbus, Ohio

The Information Security Penetration Tester will be responsible for WPCU’s Vulnerability and Penetration Testing program. They are primarily tasked with maintaining and maturing existing tools and processes that align with WPCU’s size and complexity. This position is expected to coordinate with technical owners of various skill levels that range from business units and vendors to Information Technology. They will also develop reports with commensurate levels of details to properly communicate program status to various levels of management and will include traveling to various locations within WPCU’s facilities footprint.

1)      Penetration Testing and Vulnerability Management (40%)

a)       Responsible for managing vendor provided vulnerability and penetration testing. This includes ensuring PCI-ASV services are properly scoped, conducted, and addressed in accordance with PCI-DSS standards.

b)      Conduct additional hands-on vulnerability and penetration testing across internal attack surfaces (wired and wireless) and external environments. 

c)       Collaborate with applicable business units or technical leads to validate vulnerabilities, determine risk, and provide appropriate remediation options.

d)      Collaborating with project teams and User Acceptance Testing to ensure new systems are integrated into scanning tools, scans are conducted, and issues are properly escalated with the project management team.

e)      Ensure vulnerability and penetration testing includes executive level summaries that address internal and external audit requirements.

2)      Hardening (30%)

a)       Collaborate with project teams to identify when new hardening requirements are required, determining those standards, and integrating them with the project.

b)      Assess existing hardening methodology, identifying misconfigurations, and reporting overall control effectiveness on a regular basis for all applicable systems.

c)       Responsible for reviewing existing hardening standards annually, updating standards, communicating changes to appropriate technical owners, and tracking completion.

3)      Vendor Management (10%)

a)       Primary technical contact for assigned vendors. This includes performance application administration responsibilities such as user provisioning and deprovisioning.

b)      Responsible for evaluating vendors to ensure they meet current industry standards and providing recommendations to the Information Security Manager and VP, Information Security for maturing the program.

4)      Threat Intelligence (10%)

a)       Collect and analyze threat intelligence feeds from applicable threat sources. Responsible for escalating actionable alerts internally to Information Security leadership, and to appropriate Information Technology teams to ensure they are properly dispositioned.

b)      Formalize and maintain the tracking of threat intelligence events including corrective actions and resolution time.

c)       Responsible for providing monthly reporting to VP Information Security.

5)      Security Awareness (10%)

a)       Collaborate with other Information Security team members to create appropriate required training materials and support enterprise-wide opportunities such as National Cyber Security Awareness Month.

b)      Ensures proper policies, procedures, risk mitigation activities, and operating controls are followed. Reports gaps in policies, procedures, and operating controls to leadership to ensure member impact and risk is mitigated.  

This position in Information Security must be skilled at developing and leading strategic Information Security programs across the enterprise in a complex, multi-system and multi-vendor environment. Strong, practical knowledge of Information Security concepts and technical architecture are essential. Expert knowledge of risk and information security frameworks are essential.

1)      A bachelor’s degree is required, preferably in Information Technology, Information Security, or a related field. 

2)      At least 5+ years of experience in Information Technology or Information Security is required. 

3)      Candidates must demonstrate working knowledge of TCP/IP, OSI Layer, IPv4 & IPv6, Network Protocols, and Wireless Communications or have at least 5+ years of network infrastructure management experience.

4)      Candidates must demonstrate working knowledge on management operating systems.

5)      Certifications such as Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), Certified Ethical Hacker (CEH), PenTest+, or similar certification is preferred.  

6)      Demonstrate strong understanding of cybersecurity principles, defensive strategies, hardening, and offensive tactics and techniques.

7)      Demonstrate experience in Application Administration including how to perform user access and rights reviews to align with least privilege access.

8) Demonstrate ability to drive and manage initiatives that increase operational efficiency, enhances quality, and improves/maintains service levels.