Principal-Technology Security at AT&T in St. Louis, Missouri

Posted in Other 11 days ago.

Job Description:

Overall Purpose: This career step requires expert level experience. Responsible for review and analysis of security requirements, works with senior team members to develop integrated plans to protect corporate assets and information technology, and administers security systems to support daily security operations.

Key Roles and Responsibilities: Includes researching, recommending, documenting, and coordinating implementation of changes to policies, procedures, facilities, and systems to enhance security as well as developing and delivering corporate security awareness training for users and technical security training for system administrators. Facilitates compliance with company security policies, practices and legal requirements. May provide support to non-management employees, including coaching, on-the-job and formal training, reference materials, procedures and system documentation. Provides information to management regarding the negative impact on the business caused by theft, destruction, alteration or denial of access to information. May interface with other stakeholders including vendors, application development and technical support staff, and clients. May provide inventory and asset management resources to security operation, including administrative supplies, security specific resources such as SecurID cards or cryptographic key management, and specialized security software.

This position will be responsible for:

50% - Ensures alignment to PCI DSS 3.2.1 or most current PCI DSS version utilizing the PCI SSC Cloud Guidelines and PCI Third Party Security Assurance security practices and requirements within AT&T’s public cloud environment. Serves as the lead for PCI applications onboarding to AT&T’s public cloud strategy and demonstration of PCI DSS compliance requirements. Leads in the collection, proofing and validation of all security controls and tools running operationally in the public cloud environment as well as in on-prem PCI applications during migration to the cloud.

30% - Position also supports BAU activities associated with PCI applications, servers, databases, key management, scanning, and the onboarding new PCI applications, on prem and within AT&T’s public cloud environment.Provides support for Business Unit supported applications when those applications have overlap to the above areas.Investigates, gathers, reviews and submits the following items to the PCI QSA for the PCI Merchant Assessment, ensuring all evidence below is accepted by the assessor.

• Provides effective communications to PCI stakeholder teams (application contacts and security liaisons) regarding the PCI application migration plans to the public cloud.

• Provides encryption key requirements to PCI stakeholder teams for public cloud instances.

• Validates Network level and connectivity diagrams for all on-prem and public cloud PCI applications.

• Facilitates working sessions for sample set applications with liaisons to review in detail the information provided in the Application Profiles, Data Repositories and Card Flow Diagrams for the cloud-based environment.

• Submission of Application Profiles, Data Repositories and Card Flow Diagrams (cloud and on-prem) to the QSA with a high-level overview of each of the PCI applications for resulting sample set.

• Provide initial documentation and deadlines to the application contacts to discuss non-compliant areas and options available to become compliant.

20% - Ensures that policies and business practices comply with federal and state laws/regulations and provides audit reports to management and the business unit and collaborates with the stakeholder teams using a consultative approach to help to remediate findings.Manages corporate compliance initiatives such as RIM, AT&T Compliance training enforcement, that enforce corporate policy and procedures and performs gap analysis on AT&T controls and requirements for PCI and data protection (SPI). Creates job aids to ensure business continuity.Maintains the repository of published documents (AT&T Merchant artifacts, vulnerability and penetration assessment findings and tracking of remediations) associated with Merchant PCI activities.Reviews the ROC (~200 pages) for QA to ensure that AT&T meets all compliance requirements for appropriateness to our PCI assessment on an annual basis.Assesses and responds to all RMAs within 5 business days and provides input in SARA/PMATT reviews. The position also creates standardization of controls, control owners, policies, and business practices as a critical part of the role as synergies emerge for the shared areas across the team.

Training and Special Skills:Demonstrated experience with AT&T’s Public Cloud strategy (Azure) and PCI DSS compliance requirements. Demonstrated experience with security controls and tools running operationally in the public cloud environment.Demonstrated experience with PCI DSS 3.2.1. Demonstrated experience with PCI SSC Cloud Guidelines. Third Party Security Assurance. Demonstrated security experience and in-depth familiarity with ASPR.

Job Contribution: Expert level technical professional. Advisor on technical knowledge and ATT technologies.

Education: Bachelors of Science degree in the field of Computers, Engineering, or Mathematics preferred.

Experience: Typically requires 8-10 years experience. Technical Career Pathway (TCP) role.

Supervisory: No.

Environmental Requirements: This position may be responsible for contributing to AT&T's compliance with environmental laws and regulations as applicable to its job function. This may include, but is not limited to, work related to fuel tanks, emergency and stand-by generators, boilers, hazardous waste, hazardous materials, batteries, manholes and vaults, water wells, linear and other construction projects, water discharge, or air emissions.

Required Qualifications:
  • Bachelor's degree in Computer Science, or Engineering in Mechanical Engineering with specialization in Industrial Production Engineering or a technical related field 
  • 5-8 years experience in IT security.
  • Knowledge in application security standards and process.
  • Proficient in database security.
  • Knowledge in identity and access management (access control and provisioning, theft tactics, etc.) and tools (SecurID cards, etc.)
  • Knowledge in network architecture and infrastructure components (Carrier-based network routers and switches, IPv6, etc.)
  • Knowledge in business continuity and disaster recovery (planning, etc.)
  • Proficient in Security Engineering, Planning and Monitoring
  • Knowledge in security hardware and software
  • Knowledge in Anti-virus (Virus, Worm, Malware, etc.)
  • Proficient in Cyber security tools (Sensage, etc.)
  • Understands identity and access management tools (SecurID cards, etc.).
  • Proficient in Cloud Computing (Internet data center architectures, hosting and application services, etc.).
  • Understands content distribution networks.
  • Proficient in data leakage prevention (DLP) technologies.
  • Knowledge in security audit, review, risk assessment, regulatory, controls (Audit and control structures, audit processes (SAS 70), Compliance assessment tools, etc.)                    
Desired Qualifications -
  • Certification in CISSP, CISA, CISM, other security or security technologies related certifications (i.e., CISCO, MSFT, Checkpoint, etc.)