Who We Are: We’re powering a cleaner, brighter future.
Exelon is leading the energy transformation, and we’re calling all problem solvers, innovators, community builders and change makers. Work with us to deliver solutions that make our diverse cities and communities stronger, healthier and more resilient.
We’re powered by purpose-driven people like you who believe in being inclusive and creative, and value safety, innovation, integrity and community service. We are a Fortune 200 company, 19,000 colleagues strong serving more than 10 million customers at six energy companies - Atlantic City Electric (ACE), Baltimore Gas and Electric (BGE), Commonwealth Edison (ComEd), Delmarva Power & Light (DPL), PECO Energy Company (PECO), and Potomac Electric Power Company (Pepco).
In our relentless pursuit of excellence, we elevate diverse voices, fresh perspectives and bold thinking. And since we know transforming the future of energy is hard work, we provide competitive compensation, incentives, excellent benefits and the opportunity to build a rewarding career.
Are you in? Primary Purpose:

Minimum Qualifications: MINIMUM QUALIFICATIONS

• Bachelor’s Degree in Computer Science, Information Technology (IT), or a related discipline, and typically 4 or more years of solid, diverse experience in cyber security vulnerability assessments, or equivalent combination of education and work experience.
• 1-3 years of ethical hacking experience.
• Application vulnerability testing and secure code reviews.
• Knowledge of cybersecurity principles (confidentiality, integrity, availability).
• Network protocols (e.g., TCP/IP) and directory services (e.g., DNS).
• Penetration testing principles and tools.
• System and application security threats and vulnerabilities (e.g., SQL injections).
• Leadership ability.
• Analytical and problem-solving skills.
• Excellent communication skills

Preferred Qualifications: PREFERRED QUALIFICATIONS

• Graduate degree in cyber security or related area of expertise.
• Relevant security certifications (CISSP, CISM, SABSA, GIAC)
• Demonstrated expert technical skills with various penetration testing technologies and tools.
• Demonstrated experience and subject matter knowledge in cyber and information security for applications, web architectures, operating systems, databases, and networks.
• Demonstrated experience and subject matter knowledge of SCADA, ICS, Distribution Automation, Smart Grid, DMS, and ECS systems architecture in relation to evaluating risk.
• Demonstrated experience and proven capabilities in network vulnerability assessment, application vulnerability assessment, application security architecture development, web application security, and application security testing.
• Demonstrated experience in addressing regulatory compliance for the security requirements in applicable laws and regulations, such as NERC CIP, SOX, PCI DSS, and HIPAA.
• Solid understanding and experience with security development lifecycle (SDL) processes for internally developed applications, including the web-based and Internet facing components.
• Demonstrated knowledge and experience in application security standards, methodologies, and technologies.
• Solid understanding to assess application and web architectures and operating systems for vulnerabilities and develop appropriate security countermeasures.
• Solid knowledge and experience with IT security aspects of operating systems, Active Directory, database (SQL) access, LDAP, Microsoft SharePoint, and web server configurations.
• Demonstrated experience in assessing and testing security applications and systems, such as Cisco firewalls, security appliances, IDS/IPS, SSL or TLS, IPSec, and web services security.
• Ability to demonstrate analytical skills, technical knowledge, and practical application of cyber and information security principles to business leaders and technical staff

PRIMARY PURPOSE OF POSITION

The Cyber Security Vulnerability Assessment Analyst will be expected to assist with conducting formal tests on web-based applications, networks, and other types of computer systems on a regular basis and determines/documents deviations from approved configuration standards and/or policies. This role will also be expected to assist with work on physical security assessments of servers, computer systems, and networks. Along with these tests and assessments, this role will participate in regular security vulnerability assessments from both a logical/theoretical standpoint and a technical/hands-on standpoint and recommend appropriate mitigations and/or remediation efforts. This role will enhance security services provided by the Cyber Vulnerability Detection and Management team. This is a hands-on role requiring technical skills across a wide range of IT/OT systems, applications, and infrastructure.

PRIMARY DUTIES AND ACCOUNTABILITIES

• Perform technical application and infrastructure security vulnerability assessments across a wide range of IT/OT systems, including applications, wireless and wired networks, web services, mobile applications, thick clients, Cloud solutions, etc.
• Work with the Business to effectively communicate the risks of identified vulnerabilities and make recommendations regarding the selection of cost-effective security controls to mitigate identified risks
• Develop/refine necessary governance documentation (policies, procedures, standards, guidelines) for all security vulnerability assessment processes.
• Collaborate with various teams (IT, Development, QA, etc) to help ensure designs and implementations meet specified security standards.
• Prepare detailed cyber security vulnerability metrics and reports for all Business Units and leadership (routine and ad hoc).
  Job Scope: JOB SCOPE
  The Senior Cyber Security Vulnerability Assessment Analyst will work closely with the project managers and project leads to help coordinate, plan, and successfully execute security vulnerability assessments across all areas of the company. The Security Vulnerability Assessment Analyst will manage all vulnerability assessment work (including the management of any external vendors as needed) and convey vulnerability assessment findings via onsite and remote meetings and presentations to various levels within the organization. This position will be responsible for assisting/consulting with the business on all necessary vulnerability remediation tasks. This position will work closely with business unit key managers throughout the organization to provide security assessment cost and forecasting for LRP.

Minimum Qualifications: MINIMUM QUALIFICATIONS

• Bachelor’s Degree in Computer Science, Information Technology (IT), or a related discipline, and typically 4 or more years of solid, diverse experience in cyber security vulnerability assessments, or equivalent combination of education and work experience.
• 1-3 years of ethical hacking experience.
• Application vulnerability testing and secure code reviews.
• Knowledge of cybersecurity principles (confidentiality, integrity, availability).
• Network protocols (e.g., TCP/IP) and directory services (e.g., DNS).
• Penetration testing principles and tools.
• System and application security threats and vulnerabilities (e.g., SQL injections).
• Leadership ability.
• Analytical and problem-solving skills.
• Excellent communication skills.

Preferred Qualifications: PREFERRED QUALIFICATIONS

• Graduate degree in cyber security or related area of expertise.
• Relevant security certifications (CISSP, CISM, SABSA, GIAC)
• Demonstrated expert technical skills with various penetration testing technologies and tools.
• Demonstrated experience and subject matter knowledge in cyber and information security for applications, web architectures, operating systems, databases, and networks.
• Demonstrated experience and subject matter knowledge of SCADA, ICS, Distribution Automation, Smart Grid, DMS, and ECS systems architecture in relation to evaluating risk.
• Demonstrated experience and proven capabilities in network vulnerability assessment, application vulnerability assessment, application security architecture development, web application security, and application security testing.
• Demonstrated experience in addressing regulatory compliance for the security requirements in applicable laws and regulations, such as NERC CIP, SOX, PCI DSS, and HIPAA.
• Solid understanding and experience with security development lifecycle (SDL) processes for internally developed applications, including the web-based and Internet facing components.
• Demonstrated knowledge and experience in application security standards, methodologies, and technologies.
• Solid understanding to assess application and web architectures and operating systems for vulnerabilities and develop appropriate security countermeasures.
• Solid knowledge and experience with IT security aspects of operating systems, Active Directory, database (SQL) access, LDAP, Microsoft SharePoint, and web server configurations.
• Demonstrated experience in assessing and testing security applications and systems, such as Cisco firewalls, security appliances, IDS/IPS, SSL or TLS, IPSec, and web services security.
• Ability to demonstrate analytical skills, technical knowledge, and practical application of cyber and information security principles to business leaders and technical staff.

Benefits: Benefits

• Annual salary will vary based on a candidate’s skills, qualifications, experience, and other factors: $79,200.00/Yr. – $108,900.00/Yr.
• Annual Bonus for eligible positions: 10%
• 401(k) match and annual company contribution
• Medical, dental and vision insurance
• Life and disability insurance
• Generous paid time off options, including vacation, sick time, floating and fixed holidays, maternity leave and bonding/primary caregiver leave or parental leave
• Employee Assistance Program and resources for mental and emotional support
• Wellbeing programs such as tuition reimbursement, adoption and surrogacy assistance and fitness reimbursement
• Referral bonus program
• And much more

Note: Exelon-sponsored compensation and benefit programs may vary or not apply based on length of service, job grade, job classification or represented status. Eligibility will be determined by the written plan or program documents