GENERAL SUMMARY:

The Vulnerability Management (VM) Engineer plans, executes, and assesses vulnerability scanning activities. The VM engineer manages the output from these activities to provide comprehensive reporting to document the details of the vulnerabilities, their potential impact, and suggested remediations as needed. These services are provided by the VM Engineer to manage risk and ensure that the company’s overall security posture is sound. The VM Engineer works independently across functional groups within Information Security as well as working in collaboration with all functional areas relative to information technology systems, networks, applications, voice and data communications, and computing services within HFHS. The VM Engineer is knowledgeable of information security best practices, regulatory, and compliance requirements that impact privacy or security for the enterprise. The VM Engineer reports to the Vulnerability Management Services Manager. In conjunction the VM Engineer works in a collaborative effort with IT to assure vulnerability management and policy compliance security programs and technical controls are compliant with policies, applicable laws, and regulations.

EDUCATION AND EXPERIENCE:

• Bachelor’s Degree in Technology, Business Administration, Finance, Engineering, and Information Systems, Information Assurance or closely related field, required. Degree in other areas with appropriate level of experience and expertise is acceptable.
• 3-5 years experience required. CISSP, CISM, or CISA is preferred.
• Experience providing working knowledge and skills in the following: Security laws, mandates, standards, and best practices (i.e., HIPAA, ISO, ACA, DFIS, NACHA, Payor customer group security requirements, PCI, HITECH, GLB, etc.).
• Demonstratable relevant work experience within the areas of operational / technology auditing experience, and operational or IT risk experience.
• Experience or knowledge of technical and operational, business and healthcare and/or payor environment preferably.
• Familiarity with national security standards, business continuity, disaster recover, auditing, risk management, vulnerability assessments, regulatory compliance, and incident management.
• Solid understanding of project management and information technology background.
• Good analytical, organizational, verbal, and written communication skills.
• Ability to solve problems in a dynamic team environment and handle multiple assignments in a timely manner.
• Ability to effectively interface with various levels of management internally and as well as contacts outside the organization.
• Must be able to travel to other HFHS and Subsidiary facilities and vendor sites to meet with operating or audit personnel.
• A service focused team player who can lead and mentor team members.
• Excellent customer service and interpersonal skills demonstrated both over the phone and face-to-face to communicate technical information in non-technical terms.
• Consensus building and collaborative interpersonal skills.
• Good presentation skills.
• Ability to work under pressure, establish priorities and respond with urgency.
• Self-motivated with excellent verbal and written skills.

• Maintain technical and operational knowledge of information security, audit, and risk best practices, as well as legal and regulatory compliance requirements that impact privacy or security.
• Support HFHS as well as its subsidiaries.
• Work with minimal supervision, maintain and report against a work plan and as work progresses give appropriate updates.
• Schedule, execute, and validate OS and application focused vulnerability scans using deployed vulnerability management tools.
• Maintain an understanding of the threat landscape and communicate them with a focus on the most relevant, highest-risk threats.
• Conduct vulnerability assessments for deployed on-premises, cloud, and mobile technologies in use.
• Drive the end-to-end vulnerability lifecycle from discovery to closure. Identifying internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of the company’s information assets.
• Ensure the execution of regular and complete vulnerability scans and assessments of information systems and networks.
• Identify potential weaknesses and vulnerabilities on company assets (i.e., end points applications, etc.).
• Understand, review, and interpret assessment and scanning results and provide in-depth analysis of vulnerabilities and impacts to leadership.
• Tune vulnerability scanner technologies to reduce false positive findings.
• Act as a subject matter expert in vulnerability conversations.
• Identify and prioritize all vulnerabilities in client environments and provide timely vulnerability assessment reports to key stakeholders.
• Monitor and coordinate resolution of failed scan jobs (i.e., missing credentials, asset list updates, firewall issues, and policy and plugin misconfigurations.).
• Develop and present enterprise-level metrics for vulnerabilities and the associated remediation progress.
• Mange multiple customer requests and meet customer expectations within established service levels.