Well established corporation
• Reporting to the Information Security (IS) Manager, the Information Security Analyst (ISA) will perform - i. vulnerability scanning and automated code testing operations; ii. threat assessment and patch management advisory operations; iii. IT-related security incident containment and response; iv. management and implementation of IS initiatives; and v. risk assessment of new IT systems or enhancements.
• Work with business and IT stakeholders to schedule and perform system and network vulnerability scanning, classify and prioritise risks, and guide relevant stakeholders to ensure that systems and services that are either developed in house or acquired commercially are secured against known attack vectors and prevalent threats.
• Perform threat assessment and patch management advisory operations via analysis of open and commercial security intelligence feeds, and ensure business and IT patch management teams comply with defined Service Level Agreements (SLAs) for security patch deployment.
• Perform web scanning and automated code testing of in-house applications, and guide developers and IT colleagues on coding best practices and mitigations prior to production release to ensure that systems are resistant to known attack vectors, e.g. OWASP Top 10, when deployed.
• Work closely with IT developers and operations to respond to, mitigate and resolve IT-security related incident, so that there is no or minimal business impact and deficiencies that led to the incident are fixed.
• Work with assigned Project Manager to drive small- to mid-size IS initiatives to evaluate, acquire and deploy new IS technologies and capabilities, and ensure initiatives get completed on time and budget.
• Perform information security risk assessment and technical advisory for assigned project areas to ensure compliance to HKJC IS policy, standards and practices, as well as mitigation of all identified risks.
• Work closely with IT development and architecture teams to build up a culture of secure design and programming practices throughout the entire system development lifecycle.
• A university degree with strong technical background, particularly in web application development and/or networking
• 3 to 8 years’ experience working in technical IT roles, with at least 3 years’ hands-on development experience working in a corporate environment with large-scale transaction websites and complex IT infrastructures and operations. Minimal 3 years’ experience in technical IS risk assessments or testing; a CEH, GSEC or equivalent certification will be advantageous.
• Working knowledge of Secure Development Lifecycle (SDLC) and AGILE methodologies; DevOps experience will be advantageous.
• Excellent analytical skills and ability to create and present technical concepts and reports to senior IT management. Professional proficiency in Putonghua would be advantageous.
• Excellent programming experience in Java, .NET, Objective C, HTML5 and/or JavaScript.
• Experience with Perl, PHP, and Python would be desirable. In-depth experience of secure coding practices, source code review, and Internet threat vectors such as the OWASP top 10.
• Good working knowledge of Windows, Linux, OSX and mobile operating systems.
• Working knowledge of vulnerability testing tools and methodologies.
