Security Architect - PCI-DSS, ISO27001, Payments, Transactions, Crypto
Security Architect, PCI-DSS, ISO27001, Payments, Transactions, Cryptography, Information Security, Audit, Risk
The Security Architect is responsible for supporting multiple projects and programmes by defining and championing information security solutions. The role will work closely with systems and project engineers, developers, internal/external business stakeholders and project managers within various departments to assess risk and deliver pragmatic, flexible and sustainable security that includes people, process and technology.
Essential Job Duties and Responsibilities:
- Provide information security technical consultancy to the business. Champion best practices for architecture and design principles for the use of existing and new information security technologies across internal and customer systems
- Conduct security business impact analysis and audit for new and existing business applications or IT infrastructure. Provide advice and guidance on the application and operation of physical, procedural and technical security controls (eg the key controls in ISO27001 and/or PCI-DSS).
- Assist the Systems Engineering teams in the design and development of bespoke customer solutions, ensuring solutions fit into the standard set of products the business offers and that they are supportable and clearly documented.
- Ensure that technical standards for information security fit policy requirements and are maintained, communicated and implemented.
- Assist engineering and business development teams to clarify customer security requirements and develop security responses for customer bids.
- Assist development of processes and systems to enable effective security engineering within projects.
- Participate in design review boards within engineering development processes.
- Delivery of security support processes to customer services staff, including internal training and documentation as appropriate to support project transition.
- Some manual handling may occasionally be required
- May be required to work on other sites and datacentres
- Comply with values and adherence to all company policy and procedures. Comply with the code of conduct, quality, security and occupational health, safety and environmental policies and procedures.
- In addition to the duties and responsibilities listed, the job holder is required to perform other duties assigned by their manager from time-to-time, as may be reasonably required of them.
Minimum Job Requirements:
Skills knowledge and experience:
- Solid exposure of taking a leading role in the establishment and implementation of security architecture, policies and procedures.
- Experience of secure development life cycles (SDL)
- Good understanding of enterprise-scale security management process and infrastructure
- Exposure to current information security standards and regulations such as PCI-DSS, ISO 27001, SOX, UK DPA
- Exposure to enterprise IT infrastructure and tools (eg Microsoft, Cisco, Sun, Oracle)
- Experience of transactional revenue systems, Embedded systems, Smartcards, mobile payment systems
- Knowledge of cryptographic services
- Knowledge of wider security, audit, risk and compliance standards eg PCI-P2PE, PCI-POI-PTS, ISO 22301, ISO27005, ISO31000, NIST, GDPR
- Understanding of security within agile/DevOps and waterfall project methods, product development
- Experience of application security testing tools, eg SonarQube
- In depth understanding of information security control tools, eg ArcSight, Qualys, Splunk, Trend Micro DeepSecurity, Imperva, Tenable Nessus, TripWire, Cisco IPS, McAfee, IBM Guardium, Centrify, Barracuda
- Experience of quality management systems and external audit standards eg ISO 9001, ISAE3402
Education and qualifications
- Degree or equivalent and/or equivalent level of experience in relevant subject
- Certification as an Information Security professional (eg IISP/CISA/CISM/CISSP/ISA)
- Security and IT vendors' certifications
- ITIL v3/Prince2 foundation level/TOGAF
- Crest-registered penetration tester and/or security architect